Analysis
-
max time kernel
147s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
Resource
win10v2004-20221111-en
General
-
Target
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
-
Size
30KB
-
MD5
7ed898aa2a8b247f7c7a46d71b125ea8
-
SHA1
b4c2625707fa9088ba093be8ce433454171cbec6
-
SHA256
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6
-
SHA512
8c7fc56be39bcbf9c4b8267ee184237a7ce753fc0f7b6525eb11cf6733ea9bcdf3c021a37ba648e4c50a1404a6ea8e7b69cf82ae9c78cce9b089303501968fd5
-
SSDEEP
384:8Ya0V/Sfz6O1gSrFhJmhAEEthzTm7Gk3p35G2A3ISV4GWWL7Uepc:8Y5Vu9x6hrCzTmj5G2/2WWLgee
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xwjfk.exexwjfk.exepid process 5004 xwjfk.exe 3412 xwjfk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exexwjfk.exedescription pid process target process PID 3736 set thread context of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 5004 set thread context of 3412 5004 xwjfk.exe xwjfk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exexwjfk.exedescription pid process target process PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 3736 wrote to memory of 2480 3736 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe PID 2480 wrote to memory of 5004 2480 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe xwjfk.exe PID 2480 wrote to memory of 5004 2480 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe xwjfk.exe PID 2480 wrote to memory of 5004 2480 37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe PID 5004 wrote to memory of 3412 5004 xwjfk.exe xwjfk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xwjfk.exeFilesize
30KB
MD5bc33e98b4a98334fc8d9620e513535b6
SHA126fa7ad57c3cdd688df5fa4ffea404e6b623ce6c
SHA25666731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca
SHA512ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8
-
C:\Users\Admin\AppData\Local\Temp\xwjfk.exeFilesize
30KB
MD5bc33e98b4a98334fc8d9620e513535b6
SHA126fa7ad57c3cdd688df5fa4ffea404e6b623ce6c
SHA25666731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca
SHA512ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8
-
C:\Users\Admin\AppData\Local\Temp\xwjfk.exeFilesize
30KB
MD5bc33e98b4a98334fc8d9620e513535b6
SHA126fa7ad57c3cdd688df5fa4ffea404e6b623ce6c
SHA25666731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca
SHA512ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8
-
memory/2480-134-0x0000000000000000-mapping.dmp
-
memory/2480-135-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/2480-137-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/3412-142-0x0000000000000000-mapping.dmp
-
memory/3412-146-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/3736-138-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3736-132-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3736-133-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/5004-139-0x0000000000000000-mapping.dmp
-
memory/5004-147-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB