Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:50
Static task
static1
Behavioral task
behavioral1
Sample
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe
Resource
win10v2004-20220812-en
General
-
Target
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe
-
Size
86KB
-
MD5
486350a25af411ac10d3ed6ff36310b0
-
SHA1
fa486916634919089786018a1e968be09c001fb1
-
SHA256
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa
-
SHA512
e7b96abc991a18ae22e11cd5fdc64a4e95ecfb91027347bf6b709222271e165288082b75905ce41745e92d9489acd3ef3923e9bda0590954c0efca07e817790e
-
SSDEEP
768:K6wKiqe569LNZQcEbDxH1Ar/kUBlefkjv7yCjeLxyH6Pq5wIEQOx7EhuSwj/Z/0S:K6wVcLNe/ViMclCNCjeeoq5EQOHr9x
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 2556 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exepid process 676 b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.execmd.exedescription pid process target process PID 676 wrote to memory of 5060 676 b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe cmd.exe PID 676 wrote to memory of 5060 676 b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe cmd.exe PID 676 wrote to memory of 5060 676 b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe cmd.exe PID 5060 wrote to memory of 2556 5060 cmd.exe tasklist.exe PID 5060 wrote to memory of 2556 5060 cmd.exe tasklist.exe PID 5060 wrote to memory of 2556 5060 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe"C:\Users\Admin\AppData\Local\Temp\b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del b3b844d7458fa6608ee2c89e8cef9752bcae65be7e83d1656c945355892b61aa.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken