Analysis
-
max time kernel
69s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe
Resource
win10v2004-20220812-en
General
-
Target
8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe
-
Size
159KB
-
MD5
116669c194c69dec2238a16c9794e99d
-
SHA1
a433dd9a553a583191ab6d170ae45e7f852981a1
-
SHA256
8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e
-
SHA512
f8ec04190153b4b0d68133d35ec39862a3c2534bb9b7e8fdcf4774baf62a3c52826d7eedd74993725ae5b87f6538ae97f32e9a3f13d1cf31871a4f1843e92dab
-
SSDEEP
3072:+iFx+MrcRKO6ZWpY+38pa6XZNkPN9VBACgg7gy0J:+iFI7RKOj5gbXZNk9w4gZJ
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0004000000000727-137.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-138.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-143.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-148.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-153.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-158.dat aspack_v212_v242 behavioral2/files/0x0004000000000727-163.dat aspack_v212_v242 -
Executes dropped EXE 6 IoCs
pid Process 3408 1.exe 5088 1.exe 2496 1.exe 3732 1.exe 1800 1.exe 748 1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1724 PING.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4936 5108 8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe 83 PID 5108 wrote to memory of 4936 5108 8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe 83 PID 5108 wrote to memory of 4936 5108 8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe 83 PID 4936 wrote to memory of 3556 4936 cmd.exe 85 PID 4936 wrote to memory of 3556 4936 cmd.exe 85 PID 4936 wrote to memory of 3556 4936 cmd.exe 85 PID 4936 wrote to memory of 3408 4936 cmd.exe 86 PID 4936 wrote to memory of 3408 4936 cmd.exe 86 PID 4936 wrote to memory of 3408 4936 cmd.exe 86 PID 4936 wrote to memory of 5088 4936 cmd.exe 87 PID 4936 wrote to memory of 5088 4936 cmd.exe 87 PID 4936 wrote to memory of 5088 4936 cmd.exe 87 PID 4936 wrote to memory of 2496 4936 cmd.exe 88 PID 4936 wrote to memory of 2496 4936 cmd.exe 88 PID 4936 wrote to memory of 2496 4936 cmd.exe 88 PID 4936 wrote to memory of 3732 4936 cmd.exe 89 PID 4936 wrote to memory of 3732 4936 cmd.exe 89 PID 4936 wrote to memory of 3732 4936 cmd.exe 89 PID 4936 wrote to memory of 1800 4936 cmd.exe 90 PID 4936 wrote to memory of 1800 4936 cmd.exe 90 PID 4936 wrote to memory of 1800 4936 cmd.exe 90 PID 4936 wrote to memory of 748 4936 cmd.exe 91 PID 4936 wrote to memory of 748 4936 cmd.exe 91 PID 4936 wrote to memory of 748 4936 cmd.exe 91 PID 4936 wrote to memory of 736 4936 cmd.exe 92 PID 4936 wrote to memory of 736 4936 cmd.exe 92 PID 4936 wrote to memory of 736 4936 cmd.exe 92 PID 4936 wrote to memory of 1724 4936 cmd.exe 93 PID 4936 wrote to memory of 1724 4936 cmd.exe 93 PID 4936 wrote to memory of 1724 4936 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe"C:\Users\Admin\AppData\Local\Temp\8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /s /b "*.doc" "*.xls" "*.txt" "*.ppt" "*.docx" "*.xlsx" "*.pptx" "*.pdf" "*.mlf" "*.jpg" "*.png" "*.bmp"3⤵PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1660332030.txt"3⤵
- Executes dropped EXE
PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"3⤵
- Executes dropped EXE
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F1D.txt"3⤵
- Executes dropped EXE
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F4B.txt"3⤵
- Executes dropped EXE
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F1D.txt"3⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F4B.txt"3⤵
- Executes dropped EXE
PID:748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /s /b "*_*.doc" "*.xls" "*_*.txt" "*_*.ppt" "*_*.docx" "*_*.xlsx" "*_*.pptx" "*_*.pdf" "*_*.mlf" "*_*.jpg" "*_*.png" "*_*.bmp"3⤵PID:736
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51495442e7e355dc5241fb2fafa936db6
SHA14ebf68683fedda6b969b6f772fc2eb5abd2ae8dd
SHA256d434dc558dd8a797c26f86a6743e4072f48d822664a9d340f1525545792ec795
SHA512d57976738592f03756925bb0dae102f383b267d1b94517fb493e29d22b5b56fd0ee9839f0279030d834d15950c07e0d73145467350205a56e5a73ba8b1f7368d
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6
-
Filesize
41KB
MD51b9f50b972ba520df3a5883e94058b2f
SHA1303471507dc565f6588e7b89b0e95b55daae94ed
SHA256855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68
SHA5124fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6