Analysis
-
max time kernel
172s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe
Resource
win10v2004-20220812-en
General
-
Target
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe
-
Size
105KB
-
MD5
c8dad4b41bc2d2f8e2fd058b38bbe090
-
SHA1
b5d478deda21b38306c19ee4bae72a9d10fb36f0
-
SHA256
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526
-
SHA512
4470d8578afe0ba50acd22b9c3394a1266b1044ab4987558aa96c427f93d84c645c29c784ef83463e6be4d25cb3758f80259f8cc37ccafb3e7fc43fb569d2f59
-
SSDEEP
1536:HYoqYhNhO2WTHdWvI/2GVI8RgjPxJfqAxG8Q6M1q8B0vFhzeGmuvm72a:kmNQhT9WvIxIegrHxG1Jut1eGmu5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 4084 Chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe -
Drops startup file 2 IoCs
Processes:
Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e79d569ba77562f0d4316e586835f0a2.exe Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e79d569ba77562f0d4316e586835f0a2.exe Chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e79d569ba77562f0d4316e586835f0a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e79d569ba77562f0d4316e586835f0a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Chrome.exepid process 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe 4084 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Chrome.exedescription pid process Token: SeDebugPrivilege 4084 Chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exeChrome.exedescription pid process target process PID 4512 wrote to memory of 4084 4512 9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe Chrome.exe PID 4512 wrote to memory of 4084 4512 9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe Chrome.exe PID 4512 wrote to memory of 4084 4512 9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe Chrome.exe PID 4084 wrote to memory of 4136 4084 Chrome.exe netsh.exe PID 4084 wrote to memory of 4136 4084 Chrome.exe netsh.exe PID 4084 wrote to memory of 4136 4084 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe"C:\Users\Admin\AppData\Local\Temp\9f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
105KB
MD5c8dad4b41bc2d2f8e2fd058b38bbe090
SHA1b5d478deda21b38306c19ee4bae72a9d10fb36f0
SHA2569f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526
SHA5124470d8578afe0ba50acd22b9c3394a1266b1044ab4987558aa96c427f93d84c645c29c784ef83463e6be4d25cb3758f80259f8cc37ccafb3e7fc43fb569d2f59
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
105KB
MD5c8dad4b41bc2d2f8e2fd058b38bbe090
SHA1b5d478deda21b38306c19ee4bae72a9d10fb36f0
SHA2569f2d996a11c560cb4a56eb6435d6539d316aa10119c60b755af8d109599d6526
SHA5124470d8578afe0ba50acd22b9c3394a1266b1044ab4987558aa96c427f93d84c645c29c784ef83463e6be4d25cb3758f80259f8cc37ccafb3e7fc43fb569d2f59
-
memory/4084-133-0x0000000000000000-mapping.dmp
-
memory/4084-138-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4084-139-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4136-137-0x0000000000000000-mapping.dmp
-
memory/4512-132-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4512-136-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB