Analysis
-
max time kernel
175s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe
Resource
win10v2004-20221111-en
General
-
Target
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe
-
Size
115KB
-
MD5
f83811baceb47fee0563fc1b91f9e97f
-
SHA1
c8b2a2151803e3596d102bee8e518f21c5d3d852
-
SHA256
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1
-
SHA512
03cc94e8c2cecd4e8244dc6ffb1b23aa31c40ef24460e0276531e61a109789cc9efe7d41afca41f59a16256cef79629eaa1c54ec6dd85d507b34a4027cd34123
-
SSDEEP
3072:cU143UTXqhlYDnU/+FpwXmR7Iq2+YlbWa3rdWuLqfUl:nXqfE7wX82ZLqfU
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe" a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 3012 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exedescription pid process target process PID 816 wrote to memory of 3012 816 a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe cmd.exe PID 816 wrote to memory of 3012 816 a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe cmd.exe PID 816 wrote to memory of 3012 816 a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe"C:\Users\Admin\AppData\Local\Temp\a1bdd92ff181ec9f2acb12ced6b8b0e2fb63be305c6ba7ddcac3b8a3cb2577d1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\explorer\explorer.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3012-132-0x0000000000000000-mapping.dmp