Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21/10/2022, 04:43
General
-
Target
e6e64a5a7dd78c9af2b5c537b926132ef040787c606277191b93e1b0db28254b.exe
-
Size
269KB
-
MD5
536a90fe699c0f9be14f4e76f5b8ca10
-
SHA1
650d47f6f975b3c7661b6070731b9c86fc001c08
-
SHA256
e6e64a5a7dd78c9af2b5c537b926132ef040787c606277191b93e1b0db28254b
-
SHA512
7e6187ab5c82af798ed36b651ee3279ec1b1aea192bfadb4f4cf4beea2e212972ceb2ffa1325d157737826c773bbc1139248a960ac09275b283f5c54efd1a058
-
SSDEEP
6144:cBZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy65a7K/1kknKhv/h:cfANwRo+mv8QD4+0V16M7Kdah
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e64a5a7dd78c9af2b5c537b926132ef040787c606277191b93e1b0db28254b.exe"C:\Users\Admin\AppData\Local\Temp\e6e64a5a7dd78c9af2b5c537b926132ef040787c606277191b93e1b0db28254b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Program Files (x86)\3\1\Àïåë_Óõâàëà_ÁÌ_Áàíê.docx" /o ""2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\WindowsUpdate\System32.exe"C:\Program Files (x86)\WindowsUpdate\System32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C "net user Admin > 111.txt"3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\WindowsUpdate\System32.exe" /t REG_SZ /d "C:\Program Files (x86)\WindowsUpdate\System32.exe:*:Enabled:Windows Update" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "\"C:\Program Files (x86)\WindowsUpdate\System32.exe\" /update /key 833067941" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 6843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 7083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 48481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4848 -ip 48481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5d4ee86e3b6dda9ce03d239f3470e2105
SHA10cae2b17b97a6e211a5f24a58ad5b33a57667aef
SHA2566254b96cbb549b717bf73b4a0bbe0986c422e729bdbbd52cda1a417fd058ae8d
SHA51236a89bcb6ce910e00df024c793024ee381693fe777525e6b75a61385d51901aa6bcdfbdc095c6e1de55a7916aab3d780c84832bed2855a0af5dab84b76f799a4
-
Filesize
847B
MD54d40bf9007c9631560003a7d8ec345b2
SHA1bdc1f7a81832db8565a5dba9343bf3307eb3a3e4
SHA25610025c425c1931168eb0516a95496e2c922b2e29806cae0663e6fcc41bb365a3
SHA512e0967670c7679920b03043936fa3c16afa2189f6cc7ee501ce873a1f9cf9b84abc7eb60f18af19f9831ed96da78fc126fd824f806e6214c72cd799cf3395b856
-
Filesize
107KB
MD5c29d4001211f69e134e3b713db873a48
SHA1caf195a494aa568cdef51e4d473898f680843c80
SHA256c2e444fa64730e764d2443cd01d042cf0150fbd3d0ec845fc1dd5a6a5098345f
SHA512457b070ae05544f7822ce2cd7b040183bf9a83da34d3a76f23e8469dcd89eacbbd4cc2a3590e6aaf49313d5ffa69e75e483a0c28cdd23e5158c486cc0717ade2
-
Filesize
107KB
MD5c29d4001211f69e134e3b713db873a48
SHA1caf195a494aa568cdef51e4d473898f680843c80
SHA256c2e444fa64730e764d2443cd01d042cf0150fbd3d0ec845fc1dd5a6a5098345f
SHA512457b070ae05544f7822ce2cd7b040183bf9a83da34d3a76f23e8469dcd89eacbbd4cc2a3590e6aaf49313d5ffa69e75e483a0c28cdd23e5158c486cc0717ade2
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB