Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Resource
win10v2004-20220901-en
General
-
Target
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
-
Size
475KB
-
MD5
4473bc09f2f358973b05ab262aa80650
-
SHA1
1fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
-
SHA256
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
-
SHA512
b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
SSDEEP
6144:HjmQ2sdoE4duLm3P2g5KYuxvWJH5ogtpLAKXDU89ZEs9UctljtdduYWfYXPLtMp:HjmQ2vSLy2NVwZogLLDB5UIjdnH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 4668 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate2 = "C:\\Users\\Admin\\AppData\\Roaming\\Critical Updates\\WindowsDefenderUpdater.exe" a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate2 = "\\Critical Updates\\WindowsDefenderUpdater.exe" a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription ioc process File created C:\Windows\assembly\Desktop.ini a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe File opened for modification C:\Windows\assembly\Desktop.ini a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Drops file in Windows directory 3 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription ioc process File opened for modification C:\Windows\assembly a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe File created C:\Windows\assembly\Desktop.ini a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe File opened for modification C:\Windows\assembly\Desktop.ini a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 4668 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exea803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exedescription pid process Token: SeDebugPrivilege 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe Token: SeDebugPrivilege 4668 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe Token: SeDebugPrivilege 4668 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exepid process 4668 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.execmd.exedescription pid process target process PID 3536 wrote to memory of 4668 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 3536 wrote to memory of 4668 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 3536 wrote to memory of 4668 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe PID 3536 wrote to memory of 4240 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 3536 wrote to memory of 4240 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 3536 wrote to memory of 4240 3536 a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe cmd.exe PID 4240 wrote to memory of 1368 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 1368 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 1368 4240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f
-
C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
Filesize475KB
MD54473bc09f2f358973b05ab262aa80650
SHA11fcb71d2f5a3d8ac397827b1db17a9a24a0fac73
SHA256a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a
SHA512b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f