a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14

Analysis

max time kernel
49s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
Size

64KB
MD5

5b7675d3fa61654610c2275a8d4b0580
SHA1

e6a4d836b517b8677f61b6f2d106022d5b97ae97
SHA256

a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14
SHA512

708f3b36d1ad5369001d0c15eda584c4d4dd3268624617e12eb6a2c477844fd86a9efb76aa8181d716371d11c70e7ca778ebea0d60b2176164cdac3c0899522a
SSDEEP

1536:9SE/8FZkJ2xord29nSe+L6ZtTqI1xt8RddkI5:97kDkJ2+dKSBCt71xt8Rdd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\B:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\S:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\X:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\K:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\L:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\M:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\O:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\P:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\E:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\F:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\H:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\W:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\Z:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\R:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\U:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\V:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\J:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\A:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\G:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\I:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\N:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\Q:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\T:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\setup16.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\comp.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\sfc.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\taskeng.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\diantz.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\setupSNK.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\NAPSTAT.EXE	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\diskraid.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wimserv.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\winrshost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\attrib.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ieUnatt.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\explorer.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\fveupdate.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\HelpPane.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\splwow64.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\twunk_32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\bfsvc.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\hh.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\notepad.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\twunk_16.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\winhlp32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\write.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1324	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

C:\Users\Admin\AppData\Local\Temp\a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
"C:\Users\Admin\AppData\Local\Temp\a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download
memory/1324-56-0x0000000070AF1000-0x0000000070AF3000-memory.dmp

Filesize
8KB

Download
memory/1324-57-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download
memory/1324-58-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads