Analysis

  • max time kernel
    168s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 19:41

General

  • Target

    1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe

  • Size

    309KB

  • MD5

    f4e3415d68ba7564f1400b74e4d7e22b

  • SHA1

    a4a3b80c28db771c0b15c543daa56a229467fdf3

  • SHA256

    1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

  • SHA512

    8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

  • SSDEEP

    6144:h8u3J4+CQ6otk3BPuzoqANdyl6/5rLlj/T+/1aoaorg9v4EqP4EXPav0XXXXX3hM:0K1aoaCgR4HP4KPHXXXXX3hXXXXXX3Xs

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE ⋅ 1 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 23 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe
    "C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe"
    Checks computer location settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"' & exit
      Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"'
        Creates scheduled task(s)
        PID:640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.bat""
      Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        Delays execution with timeout.exe
        PID:1560
      • C:\Users\Admin\AppData\Roaming\folders.exe
        "C:\Users\Admin\AppData\Roaming\folders.exe"
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        PID:2892

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.bat
                        MD5

                        f10d5e73e1894d2151008e5905cc7803

                        SHA1

                        30bc89172a515c25936494168e2f9824cc14a0d0

                        SHA256

                        f4c8fbb243db44809b016269f1d4b44632d832d1d3ea506f52072f358537ad63

                        SHA512

                        51603bcf9fe90e86cd8c41d4d431b3e8fb6ed877f2651f589895ac9e99bb2af0442abc270835530d40cea29dfa4b7d9f76f80101927b0cf352abc2479796f5e9

                      • C:\Users\Admin\AppData\Roaming\folders.exe
                        MD5

                        f4e3415d68ba7564f1400b74e4d7e22b

                        SHA1

                        a4a3b80c28db771c0b15c543daa56a229467fdf3

                        SHA256

                        1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

                        SHA512

                        8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

                      • C:\Users\Admin\AppData\Roaming\folders.exe
                        MD5

                        f4e3415d68ba7564f1400b74e4d7e22b

                        SHA1

                        a4a3b80c28db771c0b15c543daa56a229467fdf3

                        SHA256

                        1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54

                        SHA512

                        8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7

                      • memory/532-134-0x0000000000000000-mapping.dmp
                      • memory/640-136-0x0000000000000000-mapping.dmp
                      • memory/1560-138-0x0000000000000000-mapping.dmp
                      • memory/1860-132-0x0000000000EE0000-0x0000000000F34000-memory.dmp
                      • memory/1860-133-0x0000000005A60000-0x0000000005AFC000-memory.dmp
                      • memory/2892-139-0x0000000000000000-mapping.dmp
                      • memory/2892-142-0x00000000054F0000-0x0000000005A94000-memory.dmp
                      • memory/2892-143-0x0000000004FF0000-0x0000000005056000-memory.dmp
                      • memory/4672-135-0x0000000000000000-mapping.dmp