Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:05
Static task
static1
Behavioral task
behavioral1
Sample
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe
Resource
win10v2004-20220812-en
General
-
Target
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe
-
Size
793KB
-
MD5
6f9e437cd3114aef8abe2e3c4e09fcc7
-
SHA1
6d6fbae415b504ff30d3f6bee49a30a497eb1919
-
SHA256
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825
-
SHA512
a2f2c12949e44b7e193a609b406325eec75505a76e350923f3a35b5da3310f99e10392c1daa801a22a2d34973fff6c076cb1668643cdf660a333e1a63ae79bac
-
SSDEEP
24576:IFszWS5byefnp9pgp9EQjAyEBVvEqABf/+8aBqUybDsBK:IwreNwBVMvfEjO0K
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2764.exepid process 4960 2764.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe -
Loads dropped DLL 2 IoCs
Processes:
2764.exepid process 4960 2764.exe 4960 2764.exe -
Drops file in Windows directory 2 IoCs
Processes:
2764.exedescription ioc process File opened for modification C:\Windows\RCX904E.tmp 2764.exe File created C:\Windows\suuwwwx.dll 2764.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2764.exepid process 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2764.exedescription pid process Token: SeDebugPrivilege 4960 2764.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
2764.exepid process 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe 4960 2764.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exedescription pid process target process PID 4588 wrote to memory of 4960 4588 13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe 2764.exe PID 4588 wrote to memory of 4960 4588 13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe 2764.exe PID 4588 wrote to memory of 4960 4588 13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe 2764.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe"C:\Users\Admin\AppData\Local\Temp\13da529a139ce07efa4e64771b449791021e071c4b23085e5a2d5c510c9ea825.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exe"C:\Users\Admin\AppData\Local\Temp\2764\2764.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exeFilesize
2.0MB
MD5af0ebdcf924b390e8da8cd3bc27dfd2b
SHA104a0f86d69913a3b212540302481761ea786e734
SHA2568d312e8c8ad98be510c219aff7f069785133cfd6d4723ccf92f88c796581a636
SHA5122b8e42a48d2d196e8e1a6f08a3343029dacd7f63f0c3bf03b3673ab7468bf4819f2c79fdcf71d1e548ba0bd9f7d0223d8e7af2e5473590d7c95154c5a536a86c
-
C:\Users\Admin\AppData\Local\Temp\2764\2764.exeFilesize
2.0MB
MD5af0ebdcf924b390e8da8cd3bc27dfd2b
SHA104a0f86d69913a3b212540302481761ea786e734
SHA2568d312e8c8ad98be510c219aff7f069785133cfd6d4723ccf92f88c796581a636
SHA5122b8e42a48d2d196e8e1a6f08a3343029dacd7f63f0c3bf03b3673ab7468bf4819f2c79fdcf71d1e548ba0bd9f7d0223d8e7af2e5473590d7c95154c5a536a86c
-
C:\Users\Admin\AppData\Local\Temp\2764\linkconfig.iniFilesize
7B
MD5fb598d01bcb86ec10edf9081c2e5d91a
SHA1f46cf8aac7247782c617d3981f08fcb0355ddf71
SHA25664d32254248525b3dae6d529a096126ea9b294b242e43da21cd695ecb0bcb164
SHA512a42a26bd5201c30d9ae6a657f929113c3eb6521015652f595d3da798771c6fb6ee3ac80a8c42efaa167746916cf8400c9fc0f1aa1c0ce3fa615a242279205ef6
-
C:\Windows\suuwwwx.dllFilesize
139KB
MD5b44ade3e8e161f17f0e2c6942f9165ff
SHA1a45fe8a6ebed71b3e30241cf17cf6e67a6d83dcb
SHA256653d6d49ecbb4c0056247efcb4a482725ca26092526a7f8b02a98fb4a66b6edb
SHA5120d13af4e99d37ee34787ebab8a03c7f4bf2041a50ef9bb15454e91605a464a75173f8bb557b3ba7fe6b96020bc4d98c32546e1af059ddbfe06bd5fab056ee2a3
-
C:\Windows\suuwwwx.dllFilesize
139KB
MD5b44ade3e8e161f17f0e2c6942f9165ff
SHA1a45fe8a6ebed71b3e30241cf17cf6e67a6d83dcb
SHA256653d6d49ecbb4c0056247efcb4a482725ca26092526a7f8b02a98fb4a66b6edb
SHA5120d13af4e99d37ee34787ebab8a03c7f4bf2041a50ef9bb15454e91605a464a75173f8bb557b3ba7fe6b96020bc4d98c32546e1af059ddbfe06bd5fab056ee2a3
-
memory/4960-132-0x0000000000000000-mapping.dmp
-
memory/4960-138-0x0000000002F90000-0x0000000002FBC000-memory.dmpFilesize
176KB