Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Resource
win10v2004-20220812-en
General
-
Target
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
-
Size
120KB
-
MD5
78be10af1c9afa25c91950f3dd178ab4
-
SHA1
56f565846b5eb77e7edc1473f0b8113b958a5c8f
-
SHA256
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780
-
SHA512
1be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c
-
SSDEEP
3072:FrGsyN4JR+uvNs1z2ty21H3rZYi91DbVNKv9D:FYOys3rCinDZw
Malware Config
Signatures
-
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe -
Executes dropped EXE 1 IoCs
Processes:
nroriypi.exepid process 4724 nroriypi.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nroriypi.exe294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation nroriypi.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nroriypi = "C:\\ProgramData\\e015724145fa328f840ff71950e4e97e\\nroriypi.exe" 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
nroriypi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings nroriypi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exenroriypi.exepid process 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe 4724 nroriypi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exenroriypi.exedescription pid process Token: SeDebugPrivilege 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe Token: SeDebugPrivilege 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe Token: SeDebugPrivilege 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe Token: SeDebugPrivilege 4724 nroriypi.exe Token: SeDebugPrivilege 4724 nroriypi.exe Token: SeDebugPrivilege 4724 nroriypi.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exenroriypi.exedescription pid process target process PID 4972 wrote to memory of 1244 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe netsh.exe PID 4972 wrote to memory of 1244 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe netsh.exe PID 4972 wrote to memory of 1244 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe netsh.exe PID 4972 wrote to memory of 4724 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe nroriypi.exe PID 4972 wrote to memory of 4724 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe nroriypi.exe PID 4972 wrote to memory of 4724 4972 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe nroriypi.exe PID 4724 wrote to memory of 840 4724 nroriypi.exe netsh.exe PID 4724 wrote to memory of 840 4724 nroriypi.exe netsh.exe PID 4724 wrote to memory of 840 4724 nroriypi.exe netsh.exe PID 4724 wrote to memory of 3696 4724 nroriypi.exe WScript.exe PID 4724 wrote to memory of 3696 4724 nroriypi.exe WScript.exe PID 4724 wrote to memory of 3696 4724 nroriypi.exe WScript.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe"C:\Users\Admin\AppData\Local\Temp\294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe"1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" Firewall set opmode disable2⤵
- Modifies Windows Firewall
-
C:\ProgramData\e015724145fa328f840ff71950e4e97e\nroriypi.exe"C:\ProgramData\e015724145fa328f840ff71950e4e97e\nroriypi.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" Firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\RTniJem.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\.{7e16feb9-fead-31b3-a3bc-d6c2a2e1225e}\7e16feb9fead31b3a3bcd6c2a2e1225eFilesize
43B
MD536d65575f9e792728a576cae10bbcb9a
SHA138a536a82b917c5385f591571607621634a98f78
SHA256b38ba3d68f6cb1a1225b8340b95b7cb7149751bc8b25bccb027a1bf9a4c6e9f2
SHA5129a66bb317761bfa397114ae91185283a598195764383f40f237badf3164da2e322e2fcc50054162d08022de9efd2538eb7401f1304328b9bf2aa6ebfe049da96
-
C:\ProgramData\RTniJem.vbsFilesize
683B
MD58efdca52a498590db577444ccd4d03d8
SHA159869a04b105fceae7d658af545e88d43ba3d1d9
SHA2561090ac8cbee148bca2839995d189775629acd9e0fa3daeda79c7a1062a7a2b51
SHA51236d38f15e8877e8231d71f8482d5461c6a9059d33149b9e7b42cef949498d4f201eb9f5b32d67e9ad6b09ab5b82f09e063f3fec4e94810f441672123be1962f5
-
C:\ProgramData\e015724145fa328f840ff71950e4e97e\nroriypi.exeFilesize
120KB
MD578be10af1c9afa25c91950f3dd178ab4
SHA156f565846b5eb77e7edc1473f0b8113b958a5c8f
SHA256294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780
SHA5121be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c
-
C:\ProgramData\e015724145fa328f840ff71950e4e97e\nroriypi.exeFilesize
120KB
MD578be10af1c9afa25c91950f3dd178ab4
SHA156f565846b5eb77e7edc1473f0b8113b958a5c8f
SHA256294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780
SHA5121be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c
-
memory/840-139-0x0000000000000000-mapping.dmp
-
memory/1244-133-0x0000000000000000-mapping.dmp
-
memory/3696-141-0x0000000000000000-mapping.dmp
-
memory/4724-134-0x0000000000000000-mapping.dmp
-
memory/4724-140-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4724-143-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4972-132-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4972-138-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB