Analysis
-
max time kernel
189s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 22:53
Static task
static1
Behavioral task
behavioral1
Sample
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe
Resource
win10v2004-20220812-en
General
-
Target
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe
-
Size
93KB
-
MD5
50af32f41c22abf955a2f1116583ccc0
-
SHA1
000a7f9a8af1a0d165593cf1b4764f4b2ce53447
-
SHA256
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373
-
SHA512
355239639ad417df36d07934ba70e54a0e978454f4b8772b64166365bf3bcda5df86bf555a34eb44698543b94e94b8a9f9f20cadb08970821e8ae9033de0deff
-
SSDEEP
1536:ubytW3PcsuXg8Jw8AerxxZkASHjwxleHQPV6OHNPajCtq4hXoG9nxRcC0g2njpv6:syqcsuXgYw8vxRSHj28HQw8tZejPW5n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4948 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\212683d986fb740ad6a40184df48e604 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe Token: 33 4948 server.exe Token: SeIncBasePriorityPrivilege 4948 server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exeserver.exedescription pid process target process PID 5044 wrote to memory of 4948 5044 f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe server.exe PID 5044 wrote to memory of 4948 5044 f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe server.exe PID 4948 wrote to memory of 1816 4948 server.exe netsh.exe PID 4948 wrote to memory of 1816 4948 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe"C:\Users\Admin\AppData\Local\Temp\f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD550af32f41c22abf955a2f1116583ccc0
SHA1000a7f9a8af1a0d165593cf1b4764f4b2ce53447
SHA256f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373
SHA512355239639ad417df36d07934ba70e54a0e978454f4b8772b64166365bf3bcda5df86bf555a34eb44698543b94e94b8a9f9f20cadb08970821e8ae9033de0deff
-
Filesize
93KB
MD550af32f41c22abf955a2f1116583ccc0
SHA1000a7f9a8af1a0d165593cf1b4764f4b2ce53447
SHA256f25392c066f5415339b577d577308279e318a015832a9560993a2e7edf0d3373
SHA512355239639ad417df36d07934ba70e54a0e978454f4b8772b64166365bf3bcda5df86bf555a34eb44698543b94e94b8a9f9f20cadb08970821e8ae9033de0deff