Analysis
-
max time kernel
171s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe
Resource
win10v2004-20220812-en
General
-
Target
bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe
-
Size
43KB
-
MD5
4928d60f00050b3afe71851a46ccdac0
-
SHA1
65f12d289fb2e769f48b3059d4d6e713a47a5a5f
-
SHA256
bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585
-
SHA512
a7d09369c1673c246456534dbb367a30c7406f46377bb188a3c733ce3ff932cf70b32a39e47ffe049a6d9ce14e8f7ceb2672b58419d8922f1bdc3482f556f862
-
SSDEEP
768:ZCjzJ8ytcXTSqiw/ir+9WTW2il5M1g6H7jHv2dqvtq1IYsL1uHCRUNmqAgHCCjPJ:ieWfJVXFWEYCRU3HCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4504 Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3500 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55b3825ee39ada2fcddf7c7accbde69e.exe Windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55b3825ee39ada2fcddf7c7accbde69e.exe Windows.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\55b3825ee39ada2fcddf7c7accbde69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe 4504 Windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4504 Windows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4504 2128 bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe 81 PID 2128 wrote to memory of 4504 2128 bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe 81 PID 2128 wrote to memory of 4504 2128 bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe 81 PID 4504 wrote to memory of 3500 4504 Windows.exe 83 PID 4504 wrote to memory of 3500 4504 Windows.exe 83 PID 4504 wrote to memory of 3500 4504 Windows.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe"C:\Users\Admin\AppData\Local\Temp\bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD54928d60f00050b3afe71851a46ccdac0
SHA165f12d289fb2e769f48b3059d4d6e713a47a5a5f
SHA256bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585
SHA512a7d09369c1673c246456534dbb367a30c7406f46377bb188a3c733ce3ff932cf70b32a39e47ffe049a6d9ce14e8f7ceb2672b58419d8922f1bdc3482f556f862
-
Filesize
43KB
MD54928d60f00050b3afe71851a46ccdac0
SHA165f12d289fb2e769f48b3059d4d6e713a47a5a5f
SHA256bcda0d7635c0922f6b3a2686a138e1bcd462c0312348a8751a0f5c8bd9aae585
SHA512a7d09369c1673c246456534dbb367a30c7406f46377bb188a3c733ce3ff932cf70b32a39e47ffe049a6d9ce14e8f7ceb2672b58419d8922f1bdc3482f556f862