Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 17:38
Static task
static1
Behavioral task
behavioral1
Sample
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Resource
win10v2004-20220901-en
General
-
Target
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
-
Size
277KB
-
MD5
6b18605075467a654300af5153d23a00
-
SHA1
8c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
-
SHA256
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
-
SHA512
3272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
SSDEEP
6144:1q5+zFvSFCiTGVnyA4sdQSCWYcowHIXky7i7bOjytTfLdhOctlrBm:1q45vLAGt3N2SuR7aOjytPOIrBm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 116 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Local Service (8) = "\\Service Host\\Svchost.exe" d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Local Service (8) = "C:\\Users\\Admin\\AppData\\Local\\Service Host\\Svchost.exe" d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription ioc process File created C:\Windows\assembly\Desktop.ini d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe File opened for modification C:\Windows\assembly\Desktop.ini d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Drops file in Windows directory 3 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription ioc process File opened for modification C:\Windows\assembly d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe File created C:\Windows\assembly\Desktop.ini d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe File opened for modification C:\Windows\assembly\Desktop.ini d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 116 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exed30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exedescription pid process Token: SeDebugPrivilege 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe Token: SeDebugPrivilege 116 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exepid process 116 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.execmd.exedescription pid process target process PID 3712 wrote to memory of 116 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 3712 wrote to memory of 116 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 3712 wrote to memory of 116 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe PID 3712 wrote to memory of 1912 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 3712 wrote to memory of 1912 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 3712 wrote to memory of 1912 3712 d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe cmd.exe PID 1912 wrote to memory of 4496 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 4496 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 4496 1912 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:4496
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b
-
C:\Users\Admin\AppData\Local\Temp\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64\d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64.exe
Filesize277KB
MD56b18605075467a654300af5153d23a00
SHA18c97e30c945ccb0c4ab7981fc0fb1c78c7dc3f7b
SHA256d30562f14158445c8c9141d3d515c70b79e1b35bd9820fbedef6e373fc774b64
SHA5123272111f1b95f74c4a12c9eebe07d9de23a0281b9e3367bda21da87661b96c243d016d2c93bb49f56d9af1c1b9812b8f8dfa091db97874ae34881bdc6e31447b