Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe
Resource
win10v2004-20220901-en
General
-
Target
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe
-
Size
299KB
-
MD5
edf3defa07fd28068195967e4e9d4ad7
-
SHA1
0e462eee7431ac2e0ec6ba5629405010d63cdbff
-
SHA256
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5
-
SHA512
71dcf6fe6c0b0cefbef15626c1da482d5df34c24640bf83eb591d1fd86da5b27dece154d5804bf56bbcefd61cae1999e7b71392b155ad18199f4ebe065737128
-
SSDEEP
6144:hKqgRUByp8KmyKG7YWhqcw49KAI2Px2ThzXMKJBH3Eructl:8wyp8bG8Cq949KA0bpH+uI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exepid process 2588 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cliren = "C:\\Users\\Admin\\AppData\\Roaming\\Aplication\\setup.exe" b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cliren = "\\Aplication\\setup.exe" b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe File created C:\Windows\assembly\Desktop.ini b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Drops file in Windows directory 3 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exedescription ioc process File created C:\Windows\assembly\Desktop.ini b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe File opened for modification C:\Windows\assembly\Desktop.ini b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe File opened for modification C:\Windows\assembly b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exepid process 2588 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exeb94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exedescription pid process Token: SeDebugPrivilege 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe Token: SeDebugPrivilege 2588 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exepid process 2588 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.execmd.exedescription pid process target process PID 4316 wrote to memory of 2588 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe PID 4316 wrote to memory of 2588 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe PID 4316 wrote to memory of 2588 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe PID 4316 wrote to memory of 3380 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe cmd.exe PID 4316 wrote to memory of 3380 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe cmd.exe PID 4316 wrote to memory of 3380 4316 b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe cmd.exe PID 3380 wrote to memory of 3460 3380 cmd.exe PING.EXE PID 3380 wrote to memory of 3460 3380 cmd.exe PING.EXE PID 3380 wrote to memory of 3460 3380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe"C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe"C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:3460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe
Filesize299KB
MD5edf3defa07fd28068195967e4e9d4ad7
SHA10e462eee7431ac2e0ec6ba5629405010d63cdbff
SHA256b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5
SHA51271dcf6fe6c0b0cefbef15626c1da482d5df34c24640bf83eb591d1fd86da5b27dece154d5804bf56bbcefd61cae1999e7b71392b155ad18199f4ebe065737128
-
C:\Users\Admin\AppData\Local\Temp\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5\b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5.exe
Filesize299KB
MD5edf3defa07fd28068195967e4e9d4ad7
SHA10e462eee7431ac2e0ec6ba5629405010d63cdbff
SHA256b94507b3a5729fae4e8ea83a1bcc81264866fc7c39d2d2aeaf8cfb1c0b9966e5
SHA51271dcf6fe6c0b0cefbef15626c1da482d5df34c24640bf83eb591d1fd86da5b27dece154d5804bf56bbcefd61cae1999e7b71392b155ad18199f4ebe065737128