Analysis

  • max time kernel
    168s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 19:41

General

  • Target

    1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe

  • Size

    309KB

  • MD5

    f4e3415d68ba7564f1400b74e4d7e22b

  • SHA1

    a4a3b80c28db771c0b15c543daa56a229467fdf3

  • SHA256

    1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

  • SHA512

    8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

  • SSDEEP

    6144:h8u3J4+CQ6otk3BPuzoqANdyl6/5rLlj/T+/1aoaorg9v4EqP4EXPav0XXXXX3hM:0K1aoaCgR4HP4KPHXXXXX3hXXXXXX3Xs

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe
    "C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1560
      • C:\Users\Admin\AppData\Roaming\folders.exe
        "C:\Users\Admin\AppData\Roaming\folders.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.bat
    Filesize

    151B

    MD5

    f10d5e73e1894d2151008e5905cc7803

    SHA1

    30bc89172a515c25936494168e2f9824cc14a0d0

    SHA256

    f4c8fbb243db44809b016269f1d4b44632d832d1d3ea506f52072f358537ad63

    SHA512

    51603bcf9fe90e86cd8c41d4d431b3e8fb6ed877f2651f589895ac9e99bb2af0442abc270835530d40cea29dfa4b7d9f76f80101927b0cf352abc2479796f5e9

  • C:\Users\Admin\AppData\Roaming\folders.exe
    Filesize

    309KB

    MD5

    f4e3415d68ba7564f1400b74e4d7e22b

    SHA1

    a4a3b80c28db771c0b15c543daa56a229467fdf3

    SHA256

    1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

    SHA512

    8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

  • C:\Users\Admin\AppData\Roaming\folders.exe
    Filesize

    309KB

    MD5

    f4e3415d68ba7564f1400b74e4d7e22b

    SHA1

    a4a3b80c28db771c0b15c543daa56a229467fdf3

    SHA256

    1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

    SHA512

    8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

  • memory/532-134-0x0000000000000000-mapping.dmp
  • memory/640-136-0x0000000000000000-mapping.dmp
  • memory/1560-138-0x0000000000000000-mapping.dmp
  • memory/1860-132-0x0000000000EE0000-0x0000000000F34000-memory.dmp
    Filesize

    336KB

  • memory/1860-133-0x0000000005A60000-0x0000000005AFC000-memory.dmp
    Filesize

    624KB

  • memory/2892-139-0x0000000000000000-mapping.dmp
  • memory/2892-142-0x00000000054F0000-0x0000000005A94000-memory.dmp
    Filesize

    5MB

  • memory/2892-143-0x0000000004FF0000-0x0000000005056000-memory.dmp
    Filesize

    408KB

  • memory/4672-135-0x0000000000000000-mapping.dmp