Analysis
-
max time kernel
191s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 08:39
Static task
static1
Behavioral task
behavioral1
Sample
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe
Resource
win10v2004-20221111-en
General
-
Target
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe
-
Size
655KB
-
MD5
2ad02c3e1cb7a5fbbe3d14338d5d5e03
-
SHA1
e7e5b3996502beae37d681766e58063773b1c385
-
SHA256
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0
-
SHA512
19fb2ed1d6f811ad54558453385625614a378aa5cd2dbe464b648abc444d15f3758c74e8301e935b114a105259fe7df2fcc6a8a500e90b14a3f157ef49551c16
-
SSDEEP
12288:d4o51BciOj8M4CvPn6QGny7uCc5xo5qEE:ptvMVvPHmc3y
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
16.exeexplorer.exepid process 3724 16.exe 4184 explorer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\explorer\explorer.exe vmprotect C:\Users\Admin\AppData\Roaming\explorer\explorer.exe vmprotect behavioral1/memory/4184-141-0x00007FF68DFA0000-0x00007FF68E835000-memory.dmp vmprotect behavioral1/memory/4184-142-0x00007FF68DFA0000-0x00007FF68E835000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
16.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run 16.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe" 16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
explorer.exepid process 4184 explorer.exe 4184 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exedescription pid process Token: SeDebugPrivilege 1436 8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe16.execmd.exedescription pid process target process PID 1436 wrote to memory of 3724 1436 8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe 16.exe PID 1436 wrote to memory of 3724 1436 8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe 16.exe PID 1436 wrote to memory of 3724 1436 8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe 16.exe PID 3724 wrote to memory of 3652 3724 16.exe cmd.exe PID 3724 wrote to memory of 3652 3724 16.exe cmd.exe PID 3724 wrote to memory of 3652 3724 16.exe cmd.exe PID 3652 wrote to memory of 4184 3652 cmd.exe explorer.exe PID 3652 wrote to memory of 4184 3652 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe"C:\Users\Admin\AppData\Local\Temp\8bd8aad6f37edcc57c1b6910b13dd46674b3550a9e26ff549bff7c379c4b20f0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\16.exe"C:\Windows\Temp\16.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\explorer\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\explorer\explorer.exeC:\Users\Admin\AppData\Roaming\explorer\explorer.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\explorer\explorer.exeFilesize
5.2MB
MD5dee1568dc4d523e4aff5c7563b26887c
SHA1565a8f3d02746fb203c5a7e2777211bf33cf656b
SHA256f7cbf79fce9ca7d06745604a44c6b2541af476cdd8f5853bf1dbf23213eb3d2b
SHA5120e593e23f5cfbf3bf0cc07373bb013911e9c2068cfad8e666c69173afbe29d06a0635dc32dfa6baca153db2e1de25772cccbc5f63d49d19bc4d18b93f7c97ab2
-
C:\Users\Admin\AppData\Roaming\explorer\explorer.exeFilesize
5.2MB
MD5dee1568dc4d523e4aff5c7563b26887c
SHA1565a8f3d02746fb203c5a7e2777211bf33cf656b
SHA256f7cbf79fce9ca7d06745604a44c6b2541af476cdd8f5853bf1dbf23213eb3d2b
SHA5120e593e23f5cfbf3bf0cc07373bb013911e9c2068cfad8e666c69173afbe29d06a0635dc32dfa6baca153db2e1de25772cccbc5f63d49d19bc4d18b93f7c97ab2
-
C:\Windows\Temp\16.exeFilesize
115KB
MD55abe44351d425458a0b1aa5c6a2d007c
SHA11cf91938b5d6a1d49531d07fc4d0612b4ce18365
SHA2567275527161e158dfeaf9dd744bba65bb9de548616d7f34457c6aa1b4969bacc9
SHA512557b0e9a6cca7a33284a463075b2c5e8198e8e489307fceebd3c43d461b0f3447856325b8aa82c1b62d93328cf435baae9fcee124a9d537fca02be9edad2b291
-
C:\Windows\Temp\16.exeFilesize
115KB
MD55abe44351d425458a0b1aa5c6a2d007c
SHA11cf91938b5d6a1d49531d07fc4d0612b4ce18365
SHA2567275527161e158dfeaf9dd744bba65bb9de548616d7f34457c6aa1b4969bacc9
SHA512557b0e9a6cca7a33284a463075b2c5e8198e8e489307fceebd3c43d461b0f3447856325b8aa82c1b62d93328cf435baae9fcee124a9d537fca02be9edad2b291
-
memory/1436-133-0x0000000000E20000-0x0000000000ECA000-memory.dmpFilesize
680KB
-
memory/3652-137-0x0000000000000000-mapping.dmp
-
memory/3724-134-0x0000000000000000-mapping.dmp
-
memory/4184-138-0x0000000000000000-mapping.dmp
-
memory/4184-141-0x00007FF68DFA0000-0x00007FF68E835000-memory.dmpFilesize
8.6MB
-
memory/4184-142-0x00007FF68DFA0000-0x00007FF68E835000-memory.dmpFilesize
8.6MB