Analysis
-
max time kernel
98s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 15:35
General
-
Target
eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba.exe
-
Size
318KB
-
MD5
e4793a916988680cb6c486a4d22a0ca2
-
SHA1
6269b79ad380e6af276bb14e41a2f0e3c73ef5ff
-
SHA256
eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba
-
SHA512
e517bdbba891e3e4b929255b4a2a24a62b67c6a3c94d913d496d3c735dc25c59f1240148f7179db3c5e64344344c9385eddb7508233c334605cd3069e65b8947
-
SSDEEP
6144:xHvQjzb2lszlh979Hd+aIIFCd5J5xQUXPD39P5uSSPzFF95sU:hQjziGlD7xd+zXDSY7pSPB
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba.exe"C:\Users\Admin\AppData\Local\Temp\eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba.exe"C:\Users\Admin\AppData\Local\Temp\eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318KB
MD5e4793a916988680cb6c486a4d22a0ca2
SHA16269b79ad380e6af276bb14e41a2f0e3c73ef5ff
SHA256eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba
SHA512e517bdbba891e3e4b929255b4a2a24a62b67c6a3c94d913d496d3c735dc25c59f1240148f7179db3c5e64344344c9385eddb7508233c334605cd3069e65b8947
-
Filesize
318KB
MD5e4793a916988680cb6c486a4d22a0ca2
SHA16269b79ad380e6af276bb14e41a2f0e3c73ef5ff
SHA256eae62175cebb33521e1f2c250a0715dcdc93f9787eb96c871dc2d0ba48b3e3ba
SHA512e517bdbba891e3e4b929255b4a2a24a62b67c6a3c94d913d496d3c735dc25c59f1240148f7179db3c5e64344344c9385eddb7508233c334605cd3069e65b8947
-
Filesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
Filesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-