Analysis
-
max time kernel
303s -
max time network
378s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Resource
win10v2004-20221111-en
General
-
Target
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
-
Size
271KB
-
MD5
c238b0d3cdd6ca72003e01b29bf3ddf7
-
SHA1
26ebb8833981cadd288f579fc0a75d24a9faecaf
-
SHA256
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c
-
SHA512
d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d
-
SSDEEP
6144:ErL9IN25Y5iBsxchLMQq3BdqpIfnquBIK2l/3Hctlff:EL9IkUms6FnqRiuSl/XIff
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exepid process 364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exepid process 364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exedescription pid process Token: SeDebugPrivilege 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe Token: SeDebugPrivilege 364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe Token: SeDebugPrivilege 364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exedescription pid process target process PID 2656 wrote to memory of 364 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe PID 2656 wrote to memory of 364 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe PID 2656 wrote to memory of 364 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe PID 2656 wrote to memory of 5092 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe cmd.exe PID 2656 wrote to memory of 5092 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe cmd.exe PID 2656 wrote to memory of 5092 2656 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exeFilesize
271KB
MD5c238b0d3cdd6ca72003e01b29bf3ddf7
SHA126ebb8833981cadd288f579fc0a75d24a9faecaf
SHA256402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c
SHA512d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d
-
C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exeFilesize
271KB
MD5c238b0d3cdd6ca72003e01b29bf3ddf7
SHA126ebb8833981cadd288f579fc0a75d24a9faecaf
SHA256402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c
SHA512d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d
-
memory/364-134-0x0000000000000000-mapping.dmp
-
memory/364-138-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/364-139-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2656-132-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2656-133-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/5092-137-0x0000000000000000-mapping.dmp