Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe
Resource
win10v2004-20220812-en
General
-
Target
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe
-
Size
83KB
-
MD5
61daf3b921cc002b1363019a214a9f40
-
SHA1
1060308f6ad7df8f0f6c3770323185fec0bc2bbc
-
SHA256
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a
-
SHA512
4cd6e63aa383b8f4ba05cdc756169c06736c4381705096f512dfe34d2d86c745e0d6d789a3fb1950978e67c6915fc7ecf551d71206160a4f9cf62fb2d6c9b97d
-
SSDEEP
1536:zLxrqW3uc5sl5h8cfOjELHcRRUvwgu0VUqBRg/T:fxrqW34hdcRRkwgVAr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4392 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c41a042f5e13cf3b153e2636d60f243 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6c41a042f5e13cf3b153e2636d60f243 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe Token: 33 4392 server.exe Token: SeIncBasePriorityPrivilege 4392 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exeserver.exedescription pid process target process PID 1992 wrote to memory of 4392 1992 9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe server.exe PID 1992 wrote to memory of 4392 1992 9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe server.exe PID 1992 wrote to memory of 4392 1992 9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe server.exe PID 4392 wrote to memory of 4344 4392 server.exe netsh.exe PID 4392 wrote to memory of 4344 4392 server.exe netsh.exe PID 4392 wrote to memory of 4344 4392 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe"C:\Users\Admin\AppData\Local\Temp\9029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
83KB
MD561daf3b921cc002b1363019a214a9f40
SHA11060308f6ad7df8f0f6c3770323185fec0bc2bbc
SHA2569029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a
SHA5124cd6e63aa383b8f4ba05cdc756169c06736c4381705096f512dfe34d2d86c745e0d6d789a3fb1950978e67c6915fc7ecf551d71206160a4f9cf62fb2d6c9b97d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
83KB
MD561daf3b921cc002b1363019a214a9f40
SHA11060308f6ad7df8f0f6c3770323185fec0bc2bbc
SHA2569029b3cdc4918747103baada7afb81d52d2c5fe1ce3c63e15a519c0cd011947a
SHA5124cd6e63aa383b8f4ba05cdc756169c06736c4381705096f512dfe34d2d86c745e0d6d789a3fb1950978e67c6915fc7ecf551d71206160a4f9cf62fb2d6c9b97d
-
memory/1992-132-0x0000000000AF0000-0x0000000000B0C000-memory.dmpFilesize
112KB
-
memory/1992-133-0x0000000005320000-0x00000000053BC000-memory.dmpFilesize
624KB
-
memory/1992-134-0x0000000005AB0000-0x0000000006054000-memory.dmpFilesize
5.6MB
-
memory/4344-138-0x0000000000000000-mapping.dmp
-
memory/4392-135-0x0000000000000000-mapping.dmp
-
memory/4392-139-0x00000000050D0000-0x0000000005162000-memory.dmpFilesize
584KB
-
memory/4392-140-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB