Analysis
-
max time kernel
158s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 14:42
Static task
static1
Behavioral task
behavioral1
Sample
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
Resource
win10v2004-20220812-en
General
-
Target
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
-
Size
288KB
-
MD5
e8b9822f038f6493b75f7406c3d9c034
-
SHA1
64dec7efb1ac73a3fc8070f8f8cc4f643bc1ac7a
-
SHA256
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e
-
SHA512
948c132dcff502b817a85a8115893197c086d5ced73dbeec12e95f4fb60888694cd5172b2ebb341608070d81aaf1926861290a9329150363a170c2f512502171
-
SSDEEP
6144:whwxaxI9sBV1wbDmi5KblR0QJJuhDu5qcCvKhVVncAX1L:wyxXK1Ymi5sR0MqqLCvs6A
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
CasPol.exedescription ioc process File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exedescription pid process target process PID 552 set thread context of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe -
Drops file in Windows directory 3 IoCs
Processes:
CasPol.exedescription ioc process File opened for modification C:\Windows\assembly CasPol.exe File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CasPol.exepid process 4916 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exeCasPol.exedescription pid process Token: SeDebugPrivilege 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe Token: SeDebugPrivilege 4916 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 4916 CasPol.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.execmd.exedescription pid process target process PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 4916 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe CasPol.exe PID 552 wrote to memory of 1312 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe cmd.exe PID 552 wrote to memory of 1312 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe cmd.exe PID 552 wrote to memory of 1312 552 e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe cmd.exe PID 1312 wrote to memory of 3008 1312 cmd.exe WScript.exe PID 1312 wrote to memory of 3008 1312 cmd.exe WScript.exe PID 1312 wrote to memory of 3008 1312 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe"C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"3⤵
- Adds Run key to start application
PID:3008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD5f03812089f155d3e548e470fcf70f8d7
SHA1a3668fcead6b9079c4962ffbec8ea81fb8120d48
SHA2569c0cfffb385fb4d93f81b0f1fa599545900328a6b948eba2a7f35acfba2cd5a2
SHA5121fa023f31178cb63208dfb9b098fc664ef0628c987c92c7c209a5dcf8af66253d9ce8720fe9af64d4b61159353056266ea3e5eb3842396806200164c61cd6e46