Analysis
-
max time kernel
186s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 23:12
Behavioral task
behavioral1
Sample
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe
Resource
win10v2004-20220812-en
General
-
Target
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe
-
Size
4.5MB
-
MD5
05aaa239c3a46f86dd41e2fcb9a6b6c9
-
SHA1
0b18a083e0c9ba7475033171fa3736f7de9222d2
-
SHA256
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f
-
SHA512
523c7c361d4d5c53e611cb093c7440bdc577d4d18886de1ce330bcd27c9ae4c5ff9312d9a657cbc6e0ccba7c628844371fba6df4e0765b16527ee1ece937eaaa
-
SSDEEP
98304:OijWI3YTO16YlzR+CAB2ibiLAyhS/Af3dsFTYoRHQecigfxRcKHIY:Oij1oi4YZ5ABLboxhYI3deTYmlYxRRN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exesvchost.exepid process 2324 cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe 1620 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/3808-132-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3808-139-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exedescription ioc process File opened for modification \??\PhysicalDrive0 cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
svchost.execfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exepid process 1620 svchost.exe 2324 cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe 2324 cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exedescription pid process target process PID 3808 wrote to memory of 2324 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe PID 3808 wrote to memory of 2324 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe PID 3808 wrote to memory of 2324 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe PID 3808 wrote to memory of 1620 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe svchost.exe PID 3808 wrote to memory of 1620 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe svchost.exe PID 3808 wrote to memory of 1620 3808 36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe"C:\Users\Admin\AppData\Local\Temp\36809dfa4186e7b711c733b31f71aeeb315d5b3df82d836f42e7901b9d59767f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe"C:\Users\Admin\AppData\Local\Temp\cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exeFilesize
8.4MB
MD5a654920d26ed8915a65be9f7c6ee02be
SHA10caf1cbde80bd97c99dcf87660b49216080c5f2b
SHA2562439efb57bb0418b88b4da3fcb0207972a7aa1d6e7007ea4409d91c6852908f6
SHA512b070a602d47ccdff9526fd3a6ec90d56198b5a2cf1e51e7463b461ecf9e1683ae66507b926e7604376921b8970ab9aca15a87df08cb57e218e062d3443a8efd7
-
C:\Users\Admin\AppData\Local\Temp\cfˢǹÈí¼þ(Ó¢ÐÛ¼¶À×Éñ)2013»ð±¬.exeFilesize
8.4MB
MD5a654920d26ed8915a65be9f7c6ee02be
SHA10caf1cbde80bd97c99dcf87660b49216080c5f2b
SHA2562439efb57bb0418b88b4da3fcb0207972a7aa1d6e7007ea4409d91c6852908f6
SHA512b070a602d47ccdff9526fd3a6ec90d56198b5a2cf1e51e7463b461ecf9e1683ae66507b926e7604376921b8970ab9aca15a87df08cb57e218e062d3443a8efd7
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
698KB
MD587ce7d13958d4c0c775ed170b4244bfc
SHA1cc5590b14547600f1e6c1725cdf1c1a2f2d852bb
SHA256efd1e6b7304c4043dde769e3b5d05753ccda2a5d6c400d07b780e8da4a7e87b0
SHA51285f0ba6fee98b6929e7cb2159cb463fc88a087f81e4b78c120944532c1aae4380960f45e0fdba1be3499f4a5dc7a0892fa18024ac215b81754ea55454bb41293
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
698KB
MD587ce7d13958d4c0c775ed170b4244bfc
SHA1cc5590b14547600f1e6c1725cdf1c1a2f2d852bb
SHA256efd1e6b7304c4043dde769e3b5d05753ccda2a5d6c400d07b780e8da4a7e87b0
SHA51285f0ba6fee98b6929e7cb2159cb463fc88a087f81e4b78c120944532c1aae4380960f45e0fdba1be3499f4a5dc7a0892fa18024ac215b81754ea55454bb41293
-
memory/1620-136-0x0000000000000000-mapping.dmp
-
memory/2324-133-0x0000000000000000-mapping.dmp
-
memory/3808-132-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3808-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB