Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 22:20
Static task
static1
Behavioral task
behavioral1
Sample
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe
Resource
win10v2004-20220812-en
General
-
Target
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe
-
Size
127KB
-
MD5
6b64d2bb3af6922a68eac1b798977f30
-
SHA1
ab2498ae6276609b06c2d583eee84d00537c8624
-
SHA256
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946
-
SHA512
76d1d7893e534d39a9115ec6109f25b6eb473fb4ef988c792f957a88d1d8c0b4cd436fab98e20f41bf89bcc2c6d7a567d77f9f7b4c6b007a68d4527f1dafa291
-
SSDEEP
3072:A3XcpefmS+vOxqsNOGTtNg4wIlckXB70K1jyeBaxmlnpt:AcmIvRsNRuJEckXx0KljBM2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 348 server.exe 1884 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\azBMRgpcUJKHCw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6Tn54SJZPm.exe" afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\azBMRgpcUJKHCw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6Tn54SJZPm.exe" server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeserver.exedescription pid process target process PID 2220 set thread context of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 348 set thread context of 1884 348 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeserver.exepid process 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe 348 server.exe 348 server.exe 348 server.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeserver.exeserver.exedescription pid process Token: SeDebugPrivilege 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe Token: SeDebugPrivilege 348 server.exe Token: SeDebugPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe Token: 33 1884 server.exe Token: SeIncBasePriorityPrivilege 1884 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeafffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeserver.exeserver.exedescription pid process target process PID 2220 wrote to memory of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 2220 wrote to memory of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 2220 wrote to memory of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 2220 wrote to memory of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 2220 wrote to memory of 1168 2220 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe PID 1168 wrote to memory of 348 1168 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe server.exe PID 1168 wrote to memory of 348 1168 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe server.exe PID 1168 wrote to memory of 348 1168 afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe server.exe PID 348 wrote to memory of 1884 348 server.exe server.exe PID 348 wrote to memory of 1884 348 server.exe server.exe PID 348 wrote to memory of 1884 348 server.exe server.exe PID 348 wrote to memory of 1884 348 server.exe server.exe PID 348 wrote to memory of 1884 348 server.exe server.exe PID 1884 wrote to memory of 1652 1884 server.exe netsh.exe PID 1884 wrote to memory of 1652 1884 server.exe netsh.exe PID 1884 wrote to memory of 1652 1884 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe"C:\Users\Admin\AppData\Local\Temp\afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exeC:\Users\Admin\AppData\Local\Temp\afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946.exe.logFilesize
1KB
MD53e4397aeafdc36308cf2e69b1a95af46
SHA189edb089c6d0f6ff6b3cf7d9b66e24ee6a4cc8dc
SHA256314c58a3a7be41f6ce4662c67b7adc823cc37923125e61f91f5ec4c6a6760131
SHA51246251e8d4c02478ddaa42c96be2b7909d215c8608b40b6daef7cd34756709fa95b1a95f02d0c04aa914130ed715a7bd1a1ac43fbfa22477c73639ec57a29898f
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
127KB
MD56b64d2bb3af6922a68eac1b798977f30
SHA1ab2498ae6276609b06c2d583eee84d00537c8624
SHA256afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946
SHA51276d1d7893e534d39a9115ec6109f25b6eb473fb4ef988c792f957a88d1d8c0b4cd436fab98e20f41bf89bcc2c6d7a567d77f9f7b4c6b007a68d4527f1dafa291
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
127KB
MD56b64d2bb3af6922a68eac1b798977f30
SHA1ab2498ae6276609b06c2d583eee84d00537c8624
SHA256afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946
SHA51276d1d7893e534d39a9115ec6109f25b6eb473fb4ef988c792f957a88d1d8c0b4cd436fab98e20f41bf89bcc2c6d7a567d77f9f7b4c6b007a68d4527f1dafa291
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
127KB
MD56b64d2bb3af6922a68eac1b798977f30
SHA1ab2498ae6276609b06c2d583eee84d00537c8624
SHA256afffe069ebc127a742b56af54543f1ae6e8a13955b0b1812a479a15c59e57946
SHA51276d1d7893e534d39a9115ec6109f25b6eb473fb4ef988c792f957a88d1d8c0b4cd436fab98e20f41bf89bcc2c6d7a567d77f9f7b4c6b007a68d4527f1dafa291
-
memory/348-139-0x0000000000000000-mapping.dmp
-
memory/1168-138-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1168-137-0x0000000000000000-mapping.dmp
-
memory/1652-146-0x0000000000000000-mapping.dmp
-
memory/1884-143-0x0000000000000000-mapping.dmp
-
memory/2220-132-0x00000000005E0000-0x0000000000606000-memory.dmpFilesize
152KB
-
memory/2220-136-0x0000000009DC0000-0x0000000009E5C000-memory.dmpFilesize
624KB
-
memory/2220-135-0x0000000007860000-0x000000000786A000-memory.dmpFilesize
40KB
-
memory/2220-134-0x00000000078F0000-0x0000000007982000-memory.dmpFilesize
584KB
-
memory/2220-133-0x0000000007E00000-0x00000000083A4000-memory.dmpFilesize
5.6MB