Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Resource
win10v2004-20220901-en
General
-
Target
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
-
Size
354KB
-
MD5
6742b8f2ce2a31ea67be7a05b27a7450
-
SHA1
ea8db160fa12648a1b1819c82c2db25205f51c84
-
SHA256
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
-
SHA512
8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
SSDEEP
3072:owi51kpjgUdkY8NvGKISQ69TKDWVmXKi+rnd2q4HXEcKCDEakrraOmU84qAUJbXO:EopjgUqY8MSkWVdQDjgToNNvDROyEbZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 4684 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\\System32\\javaq.exe" c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\System32\\javaq.exe" c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription ioc process File created C:\Windows\assembly\Desktop.ini c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe File opened for modification C:\Windows\assembly\Desktop.ini c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Drops file in Windows directory 3 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription ioc process File opened for modification C:\Windows\assembly c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe File created C:\Windows\assembly\Desktop.ini c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe File opened for modification C:\Windows\assembly\Desktop.ini c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 4684 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exec727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exedescription pid process Token: SeDebugPrivilege 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe Token: SeDebugPrivilege 4684 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exepid process 4684 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.execmd.exedescription pid process target process PID 4168 wrote to memory of 4684 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 4168 wrote to memory of 4684 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 4168 wrote to memory of 4684 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe PID 4168 wrote to memory of 4164 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 4168 wrote to memory of 4164 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 4168 wrote to memory of 4164 4168 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe cmd.exe PID 4164 wrote to memory of 1192 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 1192 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 1192 4164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1192
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a
-
C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
Filesize354KB
MD56742b8f2ce2a31ea67be7a05b27a7450
SHA1ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA5128cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a