Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20-10-2022 14:47
General
-
Target
1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe
-
Size
808KB
-
MD5
9028d8fdcf15ecc6533f998b82cfcae0
-
SHA1
676f28184518a99277d90255e21f3b6da0119b95
-
SHA256
1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47
-
SHA512
1fd00a7ffe63771164d9ac66e38e49b9d518bbbe90f01fb58bee5769e4c44e1cc91fcf786ff57943626aded27cb2b275380e920adb7087ae0dfbf868de02888d
-
SSDEEP
3072:a18SouhTTtfiCXl+0LbLuO5aYd/5q6rsg2ZaZ/VuXQMul6mdoCom9QEst3FmcSDw:U8Yd4iaYd/5EkhTlBy3Fmcow
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe"C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe"1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exeC:\Users\Admin\AppData\Local\Temp\1b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47.exe2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fy6aw2ESq8.bat" "2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
808KB
MD59028d8fdcf15ecc6533f998b82cfcae0
SHA1676f28184518a99277d90255e21f3b6da0119b95
SHA2561b6f69757ef23af5b07bfaf34a83115ab6a2c12abfe0c7ce693ab18373376b47
SHA5121fd00a7ffe63771164d9ac66e38e49b9d518bbbe90f01fb58bee5769e4c44e1cc91fcf786ff57943626aded27cb2b275380e920adb7087ae0dfbf868de02888d
-
Filesize
396B
MD57be111a5360e52356d2aaebc23888324
SHA12868348401cff7ede51718d082fb229623061d40
SHA2569d0fecd700bf608435e03212c81f4e4ba3bc530ecce4d558c3da978d483c32ff
SHA51245c83e714ed1cb33c8979d5b1a6b205183bfd989f0a5e1ee9f5237745cd9c9865eae5420fdd9da831a1f0d30d32fb0d0fc13c95316b7bf89fbec4de2232eac08
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB