Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
20/10/2022, 08:40
General
-
Target
6fd4552d81b4c44c3c9942646bc59989085f68e32e64c00775902c2305ca5af0.exe
-
Size
687KB
-
MD5
750f3238a50711f8a9bf6349f016fc07
-
SHA1
88ec25d642cf7ec74026e53cfc3095a1f5f8f3c0
-
SHA256
6fd4552d81b4c44c3c9942646bc59989085f68e32e64c00775902c2305ca5af0
-
SHA512
22fa7c4119f5335eef1771f4afa4568bf409dc0b6147b5987a39621659c1d6fd3024e3c59c2600dcadcf688cf6a038505005ebafa43187887fa447519208d196
-
SSDEEP
12288:81MOw+OiWzTkm0Bghb/t+BpdnKQnEKMF3C9sEuC3cRazIDr6N:87w+OfIJ64pdvEKMIsEuC3cI8Dr6N
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd4552d81b4c44c3c9942646bc59989085f68e32e64c00775902c2305ca5af0.exe"C:\Users\Admin\AppData\Local\Temp\6fd4552d81b4c44c3c9942646bc59989085f68e32e64c00775902c2305ca5af0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Full Cheat Atlantica.exe"C:\Users\Admin\AppData\Local\Temp\Full Cheat Atlantica.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\firefox.exe"C:\Users\Admin\AppData\Local\Temp\firefox.exe"2⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD529f8e39f8a1cb0a64deec23c2e45c0e0
SHA12d630f3bdc0bfa4b9dd0e397637e57db197eb91d
SHA256e036a36d2378e5a926407a3d06e01d92a2a0d83914fa32d34a19f457f1e49584
SHA512ff331fffcff04213057936037ceb17eee813976de43b94a67d92894b08800827a25386f476e8053bbec61a84d8fb114006628c0edba86585c7f18cdbbfe76880
-
Filesize
1.3MB
MD529f8e39f8a1cb0a64deec23c2e45c0e0
SHA12d630f3bdc0bfa4b9dd0e397637e57db197eb91d
SHA256e036a36d2378e5a926407a3d06e01d92a2a0d83914fa32d34a19f457f1e49584
SHA512ff331fffcff04213057936037ceb17eee813976de43b94a67d92894b08800827a25386f476e8053bbec61a84d8fb114006628c0edba86585c7f18cdbbfe76880
-
Filesize
154KB
MD57c62ec056c69b12a6a3d92cc6be63db0
SHA1617859434d76aaab5d8e614634ac964bdf903eee
SHA2566e459cd2a4636e27d7e67d262fd82b5cc789a91632af579208ffaa3793096456
SHA51284d793277bb9ba2941144897d87359af08d44679c9c74e7ef53818b949fc3dc9dda37edaf0ae4bc56a40ad70c34f22ada84006d5f31bd07bbc63daa591fb7388
-
Filesize
154KB
MD57c62ec056c69b12a6a3d92cc6be63db0
SHA1617859434d76aaab5d8e614634ac964bdf903eee
SHA2566e459cd2a4636e27d7e67d262fd82b5cc789a91632af579208ffaa3793096456
SHA51284d793277bb9ba2941144897d87359af08d44679c9c74e7ef53818b949fc3dc9dda37edaf0ae4bc56a40ad70c34f22ada84006d5f31bd07bbc63daa591fb7388
-
Filesize
10.2MB