Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:40
Static task
static1
Behavioral task
behavioral1
Sample
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe
Resource
win10v2004-20220812-en
General
-
Target
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe
-
Size
198KB
-
MD5
77e7b6334534a6dd535d67b6a6040bcb
-
SHA1
28449665c68297eddcc526e3fd87f683833ff120
-
SHA256
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea
-
SHA512
6040c8b2d2eebc128997c320f7f799ed01c870004c75bf956f196ae14893f1cf9acb56598344b9e8344df72c996a862335692b198ebe0057b1e18d8652a592c5
-
SSDEEP
3072:mAqnm0E32GhNvv3jPXQyZbAZmIqXKWL/kpTozKbhLw5gX70TJQ1uy4vQID:ynmn2GhNX3jfA0IqXKWIToqr7t7Kf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Skype.exeSkype.exepid process 4956 Skype.exe 4892 Skype.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe -
Drops startup file 2 IoCs
Processes:
Skype.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e3bc91142bd8d798a10a1667ae4d2be.exe Skype.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e3bc91142bd8d798a10a1667ae4d2be.exe Skype.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Skype.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e3bc91142bd8d798a10a1667ae4d2be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype.exe\" .." Skype.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8e3bc91142bd8d798a10a1667ae4d2be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype.exe\" .." Skype.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exeSkype.exedescription pid process target process PID 5116 set thread context of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 4956 set thread context of 4892 4956 Skype.exe Skype.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Skype.exepid process 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe 4892 Skype.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Skype.exedescription pid process Token: SeDebugPrivilege 4892 Skype.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exeSkype.exeSkype.exedescription pid process target process PID 5116 wrote to memory of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 5116 wrote to memory of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 5116 wrote to memory of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 5116 wrote to memory of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 5116 wrote to memory of 2528 5116 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe PID 2528 wrote to memory of 4956 2528 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe Skype.exe PID 2528 wrote to memory of 4956 2528 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe Skype.exe PID 2528 wrote to memory of 4956 2528 77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe Skype.exe PID 4956 wrote to memory of 4892 4956 Skype.exe Skype.exe PID 4956 wrote to memory of 4892 4956 Skype.exe Skype.exe PID 4956 wrote to memory of 4892 4956 Skype.exe Skype.exe PID 4956 wrote to memory of 4892 4956 Skype.exe Skype.exe PID 4956 wrote to memory of 4892 4956 Skype.exe Skype.exe PID 4892 wrote to memory of 764 4892 Skype.exe netsh.exe PID 4892 wrote to memory of 764 4892 Skype.exe netsh.exe PID 4892 wrote to memory of 764 4892 Skype.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe"C:\Users\Admin\AppData\Local\Temp\77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exeC:\Users\Admin\AppData\Local\Temp\77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Skype.exe"C:\Users\Admin\AppData\Local\Temp\Skype.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeC:\Users\Admin\AppData\Local\Temp\Skype.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Skype.exe" "Skype.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\77d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea.exe.logFilesize
319B
MD5600936e187ce94453648a9245b2b42a5
SHA13349e5da3f713259244a2cbcb4a9dca777f637ed
SHA2561493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d
SHA512d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeFilesize
198KB
MD577e7b6334534a6dd535d67b6a6040bcb
SHA128449665c68297eddcc526e3fd87f683833ff120
SHA25677d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea
SHA5126040c8b2d2eebc128997c320f7f799ed01c870004c75bf956f196ae14893f1cf9acb56598344b9e8344df72c996a862335692b198ebe0057b1e18d8652a592c5
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeFilesize
198KB
MD577e7b6334534a6dd535d67b6a6040bcb
SHA128449665c68297eddcc526e3fd87f683833ff120
SHA25677d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea
SHA5126040c8b2d2eebc128997c320f7f799ed01c870004c75bf956f196ae14893f1cf9acb56598344b9e8344df72c996a862335692b198ebe0057b1e18d8652a592c5
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeFilesize
198KB
MD577e7b6334534a6dd535d67b6a6040bcb
SHA128449665c68297eddcc526e3fd87f683833ff120
SHA25677d9b9488397ddc323b0e2152ca8f4835a912388ce6c9159b5d2191e5514b2ea
SHA5126040c8b2d2eebc128997c320f7f799ed01c870004c75bf956f196ae14893f1cf9acb56598344b9e8344df72c996a862335692b198ebe0057b1e18d8652a592c5
-
memory/764-148-0x0000000000000000-mapping.dmp
-
memory/2528-142-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2528-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2528-134-0x0000000000000000-mapping.dmp
-
memory/2528-137-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4892-143-0x0000000000000000-mapping.dmp
-
memory/4892-149-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4892-150-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4956-138-0x0000000000000000-mapping.dmp
-
memory/4956-146-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4956-147-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/5116-133-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/5116-136-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/5116-132-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB