Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01/10/2022, 23:24
General
-
Target
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe
-
Size
1.6MB
-
MD5
603ff38e1dd9be90118336909af14aed
-
SHA1
20f19350d5ce97fbd4a343fa0104233be514d698
-
SHA256
ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2
-
SHA512
10e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4
-
SSDEEP
24576:6wgm46MndwBGqdWNOYAkX0wdSTGS8K6dLw9ijqbdWM9p5IBeu1u1i4xe5Ev48o9g:6wNCyWN1AkaGS8KL9CYyOVs09
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe"C:\Users\Admin\AppData\Local\Temp\ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avgent.exe"C:\Users\Admin\AppData\Local\Temp\avgent.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\avgent.exe" "avgent.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5603ff38e1dd9be90118336909af14aed
SHA120f19350d5ce97fbd4a343fa0104233be514d698
SHA256ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2
SHA51210e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4
-
Filesize
1.6MB
MD5603ff38e1dd9be90118336909af14aed
SHA120f19350d5ce97fbd4a343fa0104233be514d698
SHA256ea40c69a0fd3b7faec5f60dff8f9943bce15de10e964b438c77a21e9585099c2
SHA51210e41094368c3b1988f078ea33d13be8de16e7d363398134e2c6e5843ff59b605d2af94dbad0e34b5791efd49e6486fb92078e5e8eacb99a6903d2b1f7ea2db4
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB