Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe
Resource
win10v2004-20220901-en
General
-
Target
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe
-
Size
105KB
-
MD5
494427ec6ad02d5ce45935c166c0d0f0
-
SHA1
f2046741e3245550c438a078238e820f6bf142b2
-
SHA256
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e
-
SHA512
4db1491c4ebd9e5b6bb5f7df6687689b054e4a9b9b3799be6a8ef23dfc8a9bb3ff2d5f1c4eaeb26a21c76682518688bd509777ea8f833b11acc0c78f994c2229
-
SSDEEP
3072:QaLFrswt4gAWi//1/8gVmedQ+x47VmoXocrV:QaxswBAZ/VJmV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 3536 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Trojan.exepid process 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe 3536 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 3536 Trojan.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exeTrojan.exedescription pid process target process PID 4412 wrote to memory of 3536 4412 6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe Trojan.exe PID 4412 wrote to memory of 3536 4412 6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe Trojan.exe PID 3536 wrote to memory of 652 3536 Trojan.exe netsh.exe PID 3536 wrote to memory of 652 3536 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe"C:\Users\Admin\AppData\Local\Temp\6f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Trojan.exe"C:\Users\Admin\AppData\Roaming\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Trojan.exeFilesize
105KB
MD5494427ec6ad02d5ce45935c166c0d0f0
SHA1f2046741e3245550c438a078238e820f6bf142b2
SHA2566f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e
SHA5124db1491c4ebd9e5b6bb5f7df6687689b054e4a9b9b3799be6a8ef23dfc8a9bb3ff2d5f1c4eaeb26a21c76682518688bd509777ea8f833b11acc0c78f994c2229
-
C:\Users\Admin\AppData\Roaming\Trojan.exeFilesize
105KB
MD5494427ec6ad02d5ce45935c166c0d0f0
SHA1f2046741e3245550c438a078238e820f6bf142b2
SHA2566f28523042f4cb7882fc7a586730a5747437700be0e75673dba9c6a63e92430e
SHA5124db1491c4ebd9e5b6bb5f7df6687689b054e4a9b9b3799be6a8ef23dfc8a9bb3ff2d5f1c4eaeb26a21c76682518688bd509777ea8f833b11acc0c78f994c2229
-
memory/652-137-0x0000000000000000-mapping.dmp
-
memory/3536-133-0x0000000000000000-mapping.dmp
-
memory/3536-138-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/3536-140-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/4412-132-0x0000000000EF0000-0x0000000000F10000-memory.dmpFilesize
128KB
-
memory/4412-136-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/4412-139-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB