Analysis
-
max time kernel
184s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 13:06
Static task
static1
Behavioral task
behavioral1
Sample
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
Resource
win10v2004-20220812-en
General
-
Target
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
-
Size
269KB
-
MD5
ff3be7a2ec1d2452f08de1feec2deb2f
-
SHA1
b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
-
SHA256
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
-
SHA512
14469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8
-
SSDEEP
6144:YltHeS9enNwHqOu5Dx7tZrRbl+pXOV7yKM+mvSFz9jEhHMIVq1rl:AtHeNn2KOiJZrRJ+0V72+19jqsIVq1B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\635701\\server.exe\"" server.exe -
Executes dropped EXE 3 IoCs
pid Process 984 D0fMEQKUz0.exe 4872 tmpE182.tmp.exe 4092 server.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation D0fMEQKUz0.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation tmpE182.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D0fMEQKUz0.url b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\microsoft update = "\"C:\\ProgramData\\635701\\server.exe\"" server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe server.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4308 PING.EXE 644 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe 4092 server.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe Token: SeDebugPrivilege 984 D0fMEQKUz0.exe Token: SeDebugPrivilege 4092 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4092 server.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4020 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 86 PID 4900 wrote to memory of 4020 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 86 PID 4900 wrote to memory of 4020 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 86 PID 4020 wrote to memory of 4308 4020 cmd.exe 88 PID 4020 wrote to memory of 4308 4020 cmd.exe 88 PID 4020 wrote to memory of 4308 4020 cmd.exe 88 PID 4900 wrote to memory of 984 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 93 PID 4900 wrote to memory of 984 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 93 PID 4900 wrote to memory of 984 4900 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 93 PID 984 wrote to memory of 4828 984 D0fMEQKUz0.exe 95 PID 984 wrote to memory of 4828 984 D0fMEQKUz0.exe 95 PID 984 wrote to memory of 4828 984 D0fMEQKUz0.exe 95 PID 4828 wrote to memory of 644 4828 cmd.exe 96 PID 4828 wrote to memory of 644 4828 cmd.exe 96 PID 4828 wrote to memory of 644 4828 cmd.exe 96 PID 984 wrote to memory of 4872 984 D0fMEQKUz0.exe 97 PID 984 wrote to memory of 4872 984 D0fMEQKUz0.exe 97 PID 984 wrote to memory of 4872 984 D0fMEQKUz0.exe 97 PID 4872 wrote to memory of 4092 4872 tmpE182.tmp.exe 98 PID 4872 wrote to memory of 4092 4872 tmpE182.tmp.exe 98 PID 4872 wrote to memory of 4092 4872 tmpE182.tmp.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe"C:\Users\Admin\AppData\Local\Temp\b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PING 8.8.8.8 -n 10 > nul2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\PING.EXEPING 8.8.8.8 -n 103⤵
- Runs ping.exe
PID:4308
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\D0fMEQKUz0.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\D0fMEQKUz0.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PING 8.8.8.8 -n 10 > nul3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\PING.EXEPING 8.8.8.8 -n 104⤵
- Runs ping.exe
PID:644
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE182.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE182.tmp.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\ProgramData\635701\server.exe"C:\ProgramData\635701\server.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
269KB
MD5ff3be7a2ec1d2452f08de1feec2deb2f
SHA1b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
SHA256b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
SHA51214469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8
-
Filesize
269KB
MD5ff3be7a2ec1d2452f08de1feec2deb2f
SHA1b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
SHA256b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
SHA51214469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8