Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 04:14
Static task
static1
Behavioral task
behavioral1
Sample
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
Resource
win10v2004-20220812-en
General
-
Target
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe
-
Size
43KB
-
MD5
06948f3af0a772a23d20a46cac52fa60
-
SHA1
957ef61f9d4d3ea050a5c062ae12996febb91f3a
-
SHA256
3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
-
SHA512
3096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef
-
SSDEEP
768:ruD/1865QbrS+eUfOrm9uTx22R581J6HqYjHn2qvtK18/E71bToNVGnsHCCjPkax:MKuchsvR21XobHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3412 سسس.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5052 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\626bab39ac7864f670f1f40dacc7bb84.exe سسس.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\626bab39ac7864f670f1f40dacc7bb84.exe سسس.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\626bab39ac7864f670f1f40dacc7bb84 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\سسس.exe\" .." سسس.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\626bab39ac7864f670f1f40dacc7bb84 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\سسس.exe\" .." سسس.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe 3412 سسس.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3412 سسس.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1692 wrote to memory of 3412 1692 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 79 PID 1692 wrote to memory of 3412 1692 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 79 PID 1692 wrote to memory of 3412 1692 3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe 79 PID 3412 wrote to memory of 5052 3412 سسس.exe 80 PID 3412 wrote to memory of 5052 3412 سسس.exe 80 PID 3412 wrote to memory of 5052 3412 سسس.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe"C:\Users\Admin\AppData\Local\Temp\3b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\سسس.exe"C:\Users\Admin\AppData\Local\Temp\سسس.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\سسس.exe" "سسس.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:5052
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD506948f3af0a772a23d20a46cac52fa60
SHA1957ef61f9d4d3ea050a5c062ae12996febb91f3a
SHA2563b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
SHA5123096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef
-
Filesize
43KB
MD506948f3af0a772a23d20a46cac52fa60
SHA1957ef61f9d4d3ea050a5c062ae12996febb91f3a
SHA2563b06198a4c26910a48d8aa82745c66a7c19d039f3da6b93d8bbe2359fa42f520
SHA5123096f57da95dc8364abef5cdd9ce9f352a0e678d9f2ef383154f356659648e2d6d3fb5395e96fec456c266e7980cddd4bd26131448dd85574bb3f9ce0956e0ef