Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Resource
win10v2004-20220812-en
General
-
Target
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
-
Size
354KB
-
MD5
e141967a41334d6dd1d7c7adac5ca003
-
SHA1
6f6200ad4360b17ee575b4a761dadc213d34e1b5
-
SHA256
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
-
SHA512
53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
SSDEEP
6144:copjgUqY88VzWVa9zTRf7pbyvDROyEcZ:cJUDpyg5da
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe57080.exepid process 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 2464 57080.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Server.exe" 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe File opened for modification C:\Windows\assembly\Desktop.ini 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Drops file in Windows directory 3 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription ioc process File opened for modification C:\Windows\assembly 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe File created C:\Windows\assembly\Desktop.ini 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe File opened for modification C:\Windows\assembly\Desktop.ini 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exeTaskmgr.exepid process 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exeTaskmgr.exepid process 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 4044 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exeTaskmgr.exedescription pid process Token: SeDebugPrivilege 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Token: SeDebugPrivilege 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Token: SeDebugPrivilege 4044 Taskmgr.exe Token: SeSystemProfilePrivilege 4044 Taskmgr.exe Token: SeCreateGlobalPrivilege 4044 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exepid process 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exepid process 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe 4044 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exepid process 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.execmd.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription pid process target process PID 4648 wrote to memory of 4972 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 4648 wrote to memory of 4972 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 4648 wrote to memory of 4972 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 4648 wrote to memory of 4864 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 4648 wrote to memory of 4864 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 4648 wrote to memory of 4864 4648 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 4864 wrote to memory of 1392 4864 cmd.exe PING.EXE PID 4864 wrote to memory of 1392 4864 cmd.exe PING.EXE PID 4864 wrote to memory of 1392 4864 cmd.exe PING.EXE PID 4972 wrote to memory of 4044 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Taskmgr.exe PID 4972 wrote to memory of 4044 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Taskmgr.exe PID 4972 wrote to memory of 4044 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Taskmgr.exe PID 4972 wrote to memory of 2464 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 57080.exe PID 4972 wrote to memory of 2464 4972 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 57080.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\57080.exe"C:\Users\Admin\AppData\Local\Temp\57080.exe"3⤵
- Executes dropped EXE
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1392
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b