Analysis
-
max time kernel
152s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 08:56
Static task
static1
Behavioral task
behavioral1
Sample
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe
Resource
win10v2004-20220812-en
General
-
Target
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe
-
Size
268KB
-
MD5
42fc6efb3d9565cb61a9c1ecede1c1c0
-
SHA1
749176180feed8881021e14943e79a725adc6064
-
SHA256
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e
-
SHA512
cb291881e266ad50a235982e6ee01ec0fa9580c4334274c85a25ffc4b979e1c244c57acdcba687fa50a5dfbe392b5d3e66f497b4a321cef9fde97205b27ef6c3
-
SSDEEP
6144:Wi8Jd4clrqL9v/0MHwmAff8siDfPq553wgz2CiTzsI2kj8:P2DqJv/0ttX8/LP0AacT9S
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exepid process 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\root = "\\admin\\windowsfile.exe" 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\root = "C:\\Users\\Admin\\AppData\\Roaming\\admin\\windowsfile.exe" 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe File created C:\Windows\assembly\Desktop.ini 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Drops file in Windows directory 3 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exedescription ioc process File opened for modification C:\Windows\assembly 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe File created C:\Windows\assembly\Desktop.ini 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe File opened for modification C:\Windows\assembly\Desktop.ini 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exeTaskmgr.exepid process 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exeTaskmgr.exepid process 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 1624 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exeTaskmgr.exedescription pid process Token: SeDebugPrivilege 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Token: SeDebugPrivilege 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Token: SeDebugPrivilege 1624 Taskmgr.exe Token: SeSystemProfilePrivilege 1624 Taskmgr.exe Token: SeCreateGlobalPrivilege 1624 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exepid process 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exepid process 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe 1624 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exepid process 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.execmd.exe0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exedescription pid process target process PID 2440 wrote to memory of 1388 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe PID 2440 wrote to memory of 1388 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe PID 2440 wrote to memory of 1388 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe PID 2440 wrote to memory of 2236 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe cmd.exe PID 2440 wrote to memory of 2236 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe cmd.exe PID 2440 wrote to memory of 2236 2440 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe cmd.exe PID 2236 wrote to memory of 628 2236 cmd.exe PING.EXE PID 2236 wrote to memory of 628 2236 cmd.exe PING.EXE PID 2236 wrote to memory of 628 2236 cmd.exe PING.EXE PID 1388 wrote to memory of 1624 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Taskmgr.exe PID 1388 wrote to memory of 1624 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Taskmgr.exe PID 1388 wrote to memory of 1624 1388 0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe"C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe"C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:628
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe
Filesize268KB
MD542fc6efb3d9565cb61a9c1ecede1c1c0
SHA1749176180feed8881021e14943e79a725adc6064
SHA2560f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e
SHA512cb291881e266ad50a235982e6ee01ec0fa9580c4334274c85a25ffc4b979e1c244c57acdcba687fa50a5dfbe392b5d3e66f497b4a321cef9fde97205b27ef6c3
-
C:\Users\Admin\AppData\Local\Temp\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e\0f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e.exe
Filesize268KB
MD542fc6efb3d9565cb61a9c1ecede1c1c0
SHA1749176180feed8881021e14943e79a725adc6064
SHA2560f74dc99cca7e60bb225d693d33ac7c4b476064ef38e9e1be977aff4b5d6b37e
SHA512cb291881e266ad50a235982e6ee01ec0fa9580c4334274c85a25ffc4b979e1c244c57acdcba687fa50a5dfbe392b5d3e66f497b4a321cef9fde97205b27ef6c3
-
Filesize
41B
MD5f819aec674bbb42a20c72ab54dbdb64c
SHA17ae64e2fe56a08ea768a08594aa31f7bee2f20ec
SHA256be51fdb24b395869885849b179f8b4972afc0d6e85d2edab8ae2798f29516326
SHA5124eeddfddd6a86a041d11a31c4050d28c80e9eb5993c0bd1921f2fc4866d0efd0b0fc482c3446f8c726698cd58534b9afc71482443175bedccee623254acb569f