ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe
Size

338KB
MD5

66cb58b83a174b565129d99b2236af80
SHA1

77943715633b6b028da8e6e90e9bdfdd4f0a2c59
SHA256

ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478
SHA512

2df04457ca3fd9e94a1487ec765615dd884888f38ab654d369bebf64d27bed6bcc6321f50e647758e9f95c71980edbcbc66cfddf9a4d6c376ee63819668983e9
SSDEEP

3072:uGnurkvWoy0+w6jpGyFWWH27TkJionKuS6:uGpWpPW/EC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Tempserver.exe

pid process

2636 Tempserver.exe

pid	process
2636	Tempserver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Tempserver.exe

description pid process

Token: SeDebugPrivilege 2636 Tempserver.exe

description	pid	process
Token: SeDebugPrivilege	2636	Tempserver.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exeTempserver.exe

description	pid	process	target process
PID 1680 wrote to memory of 2636	1680	ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe	Tempserver.exe
PID 1680 wrote to memory of 2636	1680	ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe	Tempserver.exe
PID 1680 wrote to memory of 2636	1680	ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe	Tempserver.exe
PID 2636 wrote to memory of 1692	2636	Tempserver.exe	Tempserver.exe
PID 2636 wrote to memory of 1692	2636	Tempserver.exe	Tempserver.exe
PID 2636 wrote to memory of 1692	2636	Tempserver.exe	Tempserver.exe

C:\Users\Admin\AppData\Local\Temp\ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe
"C:\Users\Admin\AppData\Local\Temp\ab66c6e473af8c24d185b542dbcd204af0daf9d220ff97861deabb86ac636478.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Tempserver.exe
C:\Users\Admin\AppData\Local\Tempserver.exe
3⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
283KB

MD5
45bedbaaa0e6b33ca6d2c20ce6487e6b

SHA1
eb5583d2ce459c311ba5ce0a2a9e729c0a09a4a2

SHA256
1581b65e663cc2d6a6e645801306629618a323ef4ee757a45496ce3490405f6b

SHA512
6130a1b3736eb45262df5fe2b8c153ab0177ccb9f1a5737f541dc331a5c80433b6624cd1d60d0c7189a677feea3b122a1acd090f4edcbdcc816928a13c9b86e4

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
283KB

MD5
45bedbaaa0e6b33ca6d2c20ce6487e6b

SHA1
eb5583d2ce459c311ba5ce0a2a9e729c0a09a4a2

SHA256
1581b65e663cc2d6a6e645801306629618a323ef4ee757a45496ce3490405f6b

SHA512
6130a1b3736eb45262df5fe2b8c153ab0177ccb9f1a5737f541dc331a5c80433b6624cd1d60d0c7189a677feea3b122a1acd090f4edcbdcc816928a13c9b86e4

Download Submit
memory/1680-132-0x00007FFFDD200000-0x00007FFFDDC36000-memory.dmp

Filesize
10.2MB

Download
memory/1692-141-0x0000000000000000-mapping.dmp

Download
memory/2636-133-0x0000000000000000-mapping.dmp

Download
memory/2636-136-0x0000000000950000-0x000000000099C000-memory.dmp

Filesize
304KB

Download
memory/2636-137-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/2636-138-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/2636-139-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/2636-140-0x0000000007420000-0x00000000074BC000-memory.dmp

Filesize
624KB

Download