Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
Resource
win10v2004-20220901-en
General
-
Target
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
-
Size
1.4MB
-
MD5
3046222c67a68d7cadabd19434355600
-
SHA1
633f3b57954d2b2d7c37386af772dc199b3c6db7
-
SHA256
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216
-
SHA512
703dc8b72ec2bbafe4f8fa466b48b839af95a445df25c07b615d5471ba5bb6aad5ba76b66371bbb2d4d2426bbb09de88c9de017fee33b3be0007aa045b318b8e
-
SSDEEP
24576:mUQZGjqqIaSb5rUoMGa7WATGC11Jk220gPgFKU0p82QcNZdsCAEKA3NHNEgsNPDS:mUJGqI5lbmD11JkfKop8Rc+CnaNYp
Malware Config
Signatures
-
Processes:
FIX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe -
Processes:
FIX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" FIX.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe" iexplore.exe -
Executes dropped EXE 4 IoCs
Processes:
Black Inject.exeDOWS.exeFIX.exeFIX.exepid process 3244 Black Inject.exe 528 DOWS.exe 1760 FIX.exe 2796 FIX.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeDOWS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DOWS.exe -
Processes:
FIX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" FIX.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe" iexplore.exe -
Processes:
FIX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
FIX.exeFIX.exedescription pid process target process PID 1760 set thread context of 2796 1760 FIX.exe FIX.exe PID 2796 set thread context of 4060 2796 FIX.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 4060 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeBlack Inject.exeFIX.exeFIX.exeiexplore.exepid process 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe 3244 Black Inject.exe 1760 FIX.exe 2796 FIX.exe 4060 iexplore.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeDOWS.exeFIX.exeFIX.exeiexplore.exedescription pid process target process PID 4868 wrote to memory of 3244 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe Black Inject.exe PID 4868 wrote to memory of 3244 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe Black Inject.exe PID 4868 wrote to memory of 3244 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe Black Inject.exe PID 4868 wrote to memory of 528 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe DOWS.exe PID 4868 wrote to memory of 528 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe DOWS.exe PID 4868 wrote to memory of 528 4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe DOWS.exe PID 528 wrote to memory of 1760 528 DOWS.exe FIX.exe PID 528 wrote to memory of 1760 528 DOWS.exe FIX.exe PID 528 wrote to memory of 1760 528 DOWS.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 1760 wrote to memory of 2796 1760 FIX.exe FIX.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 2796 wrote to memory of 4060 2796 FIX.exe iexplore.exe PID 4060 wrote to memory of 5104 4060 iexplore.exe notepad.exe PID 4060 wrote to memory of 5104 4060 iexplore.exe notepad.exe PID 4060 wrote to memory of 5104 4060 iexplore.exe notepad.exe PID 4060 wrote to memory of 5104 4060 iexplore.exe notepad.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
FIX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe"C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\Black Inject.exe"C:\Users\Admin\AppData\Local\Temp\Black Inject.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\DOWS.exe"C:\Users\Admin\AppData\Local\Temp\DOWS.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\notepad.exenotepad.exe6⤵PID:5104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD58e7f0ab5708ed0bb3a34c0b1246bd8ea
SHA13dfce2eefcbc240bef5ca5dc536ecd623efdc537
SHA256a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d
SHA51252ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9
-
Filesize
32KB
MD58e7f0ab5708ed0bb3a34c0b1246bd8ea
SHA13dfce2eefcbc240bef5ca5dc536ecd623efdc537
SHA256a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d
SHA51252ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9
-
Filesize
704KB
MD58d021cccaf91e5e4364f293ac9141100
SHA1e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6
SHA2562abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa
SHA51248b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac
-
Filesize
704KB
MD58d021cccaf91e5e4364f293ac9141100
SHA1e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6
SHA2562abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa
SHA51248b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac
-
Filesize
564KB
MD55075ce722c570cd61ef5c674f3551876
SHA19cf84d95886042c3232b5b5eecebb094c160ff9b
SHA25690b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932
SHA512a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40
-
Filesize
564KB
MD55075ce722c570cd61ef5c674f3551876
SHA19cf84d95886042c3232b5b5eecebb094c160ff9b
SHA25690b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932
SHA512a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40
-
Filesize
564KB
MD55075ce722c570cd61ef5c674f3551876
SHA19cf84d95886042c3232b5b5eecebb094c160ff9b
SHA25690b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932
SHA512a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40