Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 12:06
Static task
static1
Behavioral task
behavioral1
Sample
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe
Resource
win7-20220812-en
General
-
Target
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe
-
Size
637KB
-
MD5
84feedb206ce6f56fcbea63636597780
-
SHA1
7563c8c9531b872b787190a0cdb6fc168a3117ab
-
SHA256
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a
-
SHA512
1852cbaf9ce05f0539a160180ff0d2be4f75a1ea14d7acfa805402afd68e557cf600faab94877d619e40bffbf15002e8855c095829cb45902eef06369c2506ed
-
SSDEEP
12288:+CPBprQ64gRZR6WRgb14aB1BveN14I8RotUP6fUsSO:jZprXPR3xKr4qktUPcS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
notepad.exeRoamingRealmPlayer.exenotepad.exepid process 3264 notepad.exe 2184 RoamingRealmPlayer.exe 1548 notepad.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation notepad.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
notepad.exedescription ioc process File created C:\Windows\assembly\Desktop.ini notepad.exe File opened for modification C:\Windows\assembly\Desktop.ini notepad.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exenotepad.exedescription pid process target process PID 4880 set thread context of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 3264 set thread context of 1548 3264 notepad.exe notepad.exe -
Drops file in Windows directory 3 IoCs
Processes:
notepad.exedescription ioc process File opened for modification C:\Windows\assembly notepad.exe File created C:\Windows\assembly\Desktop.ini notepad.exe File opened for modification C:\Windows\assembly\Desktop.ini notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exepid process 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
notepad.exepid process 1548 notepad.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exenotepad.exenotepad.exedw20.exedescription pid process Token: SeDebugPrivilege 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe Token: SeDebugPrivilege 3264 notepad.exe Token: SeDebugPrivilege 1548 notepad.exe Token: SeBackupPrivilege 312 dw20.exe Token: SeBackupPrivilege 312 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
notepad.exepid process 1548 notepad.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exenotepad.exeRoamingRealmPlayer.exedescription pid process target process PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 4880 wrote to memory of 3264 4880 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe notepad.exe PID 3264 wrote to memory of 2184 3264 notepad.exe RoamingRealmPlayer.exe PID 3264 wrote to memory of 2184 3264 notepad.exe RoamingRealmPlayer.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 3264 wrote to memory of 1548 3264 notepad.exe notepad.exe PID 2184 wrote to memory of 312 2184 RoamingRealmPlayer.exe dw20.exe PID 2184 wrote to memory of 312 2184 RoamingRealmPlayer.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\temp\notepad.exeC:\Windows\temp\notepad.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\RoamingRealmPlayer.exe"C:\Users\Admin\AppData\RoamingRealmPlayer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8244⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
-
C:\Windows\temp\notepad.exe"C:\Windows\temp\notepad.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD57a607550e6bcafcf6024216d4a12162c
SHA1849336bc7b847fd35311a921eaa5eb7b7e051542
SHA2565ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4
-
Filesize
31KB
MD57a607550e6bcafcf6024216d4a12162c
SHA1849336bc7b847fd35311a921eaa5eb7b7e051542
SHA2565ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479