Analysis
-
max time kernel
298s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Resource
win10v2004-20221111-en
General
-
Target
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
-
Size
339KB
-
MD5
6f2079524dfbcc1873b236623bf54332
-
SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a
-
SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51
-
SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4
-
SSDEEP
6144:L2gD4gPNYTcl6bWq0o5ACUJVymf7ouQo97HAXvc1GZ/9ctltCc/+EvFkywdg:ggEbWfoSCUqcao97gXvc1ylItCc/+EQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exepid process 1492 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Word\\Svchost.exe" b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Word = "\\Microsoft Word\\Svchost.exe" b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exeb1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exedescription pid process Token: SeDebugPrivilege 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe Token: SeDebugPrivilege 1492 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exepid process 1492 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.execmd.exedescription pid process target process PID 4032 wrote to memory of 1492 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe PID 4032 wrote to memory of 1492 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe PID 4032 wrote to memory of 1492 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe PID 4032 wrote to memory of 2612 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe cmd.exe PID 4032 wrote to memory of 2612 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe cmd.exe PID 4032 wrote to memory of 2612 4032 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe cmd.exe PID 2612 wrote to memory of 2396 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2396 2612 cmd.exe PING.EXE PID 2612 wrote to memory of 2396 2612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:2396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Filesize339KB
MD56f2079524dfbcc1873b236623bf54332
SHA181d9fa986239d2cddb88b0171ef8cc310636a92a
SHA256b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51
SHA512281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4
-
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Filesize339KB
MD56f2079524dfbcc1873b236623bf54332
SHA181d9fa986239d2cddb88b0171ef8cc310636a92a
SHA256b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51
SHA512281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4