Analysis
-
max time kernel
293s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 15:45
General
-
Target
1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9.iso
-
Size
2.2MB
-
MD5
433a0a097c40a68bd4eca0835ec2184a
-
SHA1
f8392615cfe5b99f806e6cd41017abec0d0c8ecc
-
SHA256
1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9
-
SHA512
260c6d4f893132c7944c02e88a25e50aaa7439c4b697e23cff50696abb4ae24b445eac49dfbc38834d154f6b8ab31bdd2f85935cb11f516eed95597c1876f8f9
-
SSDEEP
12288:1vv4GnTnYe1RvjMYTig+63sdEnmYRDJNh+7ShcBh2OQBnnnnnnEtbdjdvwKx:1vhnbRBhirxdEdBJumhcz2dBnnARu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,01⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c "System Volume Information\ \ \ \test.chs"1⤵
- Suspicious use of WriteProcessMemory
-
\??\E:\System Volume Information\ \ \ \test.chs"System Volume Information\ \ \ \test.chs"2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Unilateral statement by the Commission on migration.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Intelnet\LMIGuardianSvc.exeC:\ProgramData\Intelnet\LMIGuardianSvc.exe E7113⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell "(new-object -COM Shell.Application).NameSpace(17).ParseName('E:').InvokeVerb('Eject')"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(new-object -COM Shell.Application).NameSpace(17).ParseName('E:').InvokeVerb('Eject')"5⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5e772a191d58d3e2199a3372a68d086d8
SHA1dd0b2dfd602067165c87c20e46e013b7252cfb98
SHA256b35a9716e180b6a4cc92ccdc5d5825c62a41b4f13c0e38b757b2f47b202fc012
SHA51239ebf36882c5e75e25b0039c69e716149df1a1d9b39b957c5664a3a62813f62a3e8917cf5eedaaece35ce2b30423abf64e417c49836ef3cf3c038cd356788afe
-
Filesize
78KB
MD5e772a191d58d3e2199a3372a68d086d8
SHA1dd0b2dfd602067165c87c20e46e013b7252cfb98
SHA256b35a9716e180b6a4cc92ccdc5d5825c62a41b4f13c0e38b757b2f47b202fc012
SHA51239ebf36882c5e75e25b0039c69e716149df1a1d9b39b957c5664a3a62813f62a3e8917cf5eedaaece35ce2b30423abf64e417c49836ef3cf3c038cd356788afe
-
Filesize
395KB
MD593a4e2b886e2815b6b732a2380b0f068
SHA15cbfa13b74917aabbfb4d714c53afb1ac20b10e6
SHA25626c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d
SHA512230cedc2543d05ac39693cf79d0a2e571f06c198f32a70449b9f36d76202debc53373864ec34cb95cc94d26a54803224a615535fa4826c81e4e519c64fdd1904
-
Filesize
395KB
MD593a4e2b886e2815b6b732a2380b0f068
SHA15cbfa13b74917aabbfb4d714c53afb1ac20b10e6
SHA25626c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d
SHA512230cedc2543d05ac39693cf79d0a2e571f06c198f32a70449b9f36d76202debc53373864ec34cb95cc94d26a54803224a615535fa4826c81e4e519c64fdd1904
-
Filesize
588KB
MD5af04133797c7781c25980a8a004ea861
SHA16a9a5c1e23a17773a8243dda211871ca8da03a4d
SHA256d6e0903b9d9464c90c2007d84e8cf2387359c693a04c349cf0b551e65f860181
SHA5123c69f0d743715f2b104fbb9e4d330f8e263bb8cb03be62f4be91b65346f5b1f3449e7eaa86c77c4be641030a3747d1ffce303c389b637202b39c716c07ee7a4c
-
Filesize
14KB
MD52af14bcd1c2ffec278e2f52da0eb074b
SHA1d3edf0af3e665e6088a17dc6f03ac6906de27940
SHA25646e6fa282d50b59911063a805c23d2b3ca673f4899172b84386ddbc48dd88132
SHA512f808f8d84de5f524d1ca04e283641756d5b5938400642100c1c1d73664c070e15fc23d346fa011b4e58fba051f6db680455f74381a8b6a95b8a3d9f24864457d
-
Filesize
612KB
-
Filesize
592KB
-
-
-
Filesize
592KB
-
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB