Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
Resource
win10v2004-20220812-en
General
-
Target
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
-
Size
292KB
-
MD5
4214abf5fd8ede6d3d9d03b9f55713f5
-
SHA1
a2360c5577a67315fa5782f35c3bf97dc24089e9
-
SHA256
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229
-
SHA512
2c96cd0b65e350233459617b6a15b91142b08dce328b1f04d895c40701f3a57d0212c0554c60c57d1b6585dc973986ef58fd0832e05d313ddbd42263c875fe8a
-
SSDEEP
6144:/CXnomEpWJmo2+gu5KFOPO3pZSytbAH0WJ0IgMbDMRlsQpOm:mofpWJmo2vuIeOZZSobAH0ZIx6CQpOm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe" WScript.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
CasPol.exedescription ioc process File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exedescription pid process target process PID 5112 set thread context of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe -
Drops file in Windows directory 3 IoCs
Processes:
CasPol.exedescription ioc process File opened for modification C:\Windows\assembly CasPol.exe File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CasPol.exepid process 4548 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exeCasPol.exedescription pid process Token: SeDebugPrivilege 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe Token: SeDebugPrivilege 4548 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 4548 CasPol.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.execmd.exedescription pid process target process PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4548 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe CasPol.exe PID 5112 wrote to memory of 4092 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 5112 wrote to memory of 4092 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 5112 wrote to memory of 4092 5112 e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe cmd.exe PID 4092 wrote to memory of 3484 4092 cmd.exe WScript.exe PID 4092 wrote to memory of 3484 4092 cmd.exe WScript.exe PID 4092 wrote to memory of 3484 4092 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe"C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"3⤵
- Adds Run key to start application
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD5a65f94d737d307f65def620728688123
SHA1ba22cfd98fa6aa8a28de32b3eac5f20fbf0843d8
SHA2563564dcda92b3ec106f0f9a2710a795a8eada973a9d50511c68cdaea5ec12f87e
SHA512fa008d1fa740bad8496f6678cb8345d4894afc0385b6abe86577c3f48dbdd1acee5a9ded9fa4e47a879592a1d4bdf8f491362279a94299b2473917d0f57c1847