Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 16:53
Static task
static1
Behavioral task
behavioral1
Sample
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe
Resource
win10v2004-20220812-en
General
-
Target
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe
-
Size
30KB
-
MD5
35e4fb6ca6c2ffe4af82b86157544979
-
SHA1
c81d8092b672e6ab97d63751049285779f6ec303
-
SHA256
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4
-
SHA512
3d8727229e4b7d6eea83e9373adb24e9d28220276f4fac1705212a00dbc87c53da452e76bac97f7fb74080e0e66ba17839b8564bb5516b38466dbcb29e0d94f6
-
SSDEEP
384:wAx0nuhdl9xN0G6/ELrB++h2JfG9HT6Pq2XFg82G5Fk4tZSTIwlYyN:wfnuhms4+h2JfG9HT6PTuXAt4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1952 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d525ad061f82aa8818a00a6d57c9ab8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d525ad061f82aa8818a00a6d57c9ab8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe Token: 33 1952 server.exe Token: SeIncBasePriorityPrivilege 1952 server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exeserver.exedescription pid process target process PID 5052 wrote to memory of 1952 5052 386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe server.exe PID 5052 wrote to memory of 1952 5052 386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe server.exe PID 1952 wrote to memory of 3432 1952 server.exe netsh.exe PID 1952 wrote to memory of 3432 1952 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe"C:\Users\Admin\AppData\Local\Temp\386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
30KB
MD535e4fb6ca6c2ffe4af82b86157544979
SHA1c81d8092b672e6ab97d63751049285779f6ec303
SHA256386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4
SHA5123d8727229e4b7d6eea83e9373adb24e9d28220276f4fac1705212a00dbc87c53da452e76bac97f7fb74080e0e66ba17839b8564bb5516b38466dbcb29e0d94f6
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
30KB
MD535e4fb6ca6c2ffe4af82b86157544979
SHA1c81d8092b672e6ab97d63751049285779f6ec303
SHA256386cc33cac542ea2c22b73f69d83b5561d6612f14cc374cc40415ca634a8d0d4
SHA5123d8727229e4b7d6eea83e9373adb24e9d28220276f4fac1705212a00dbc87c53da452e76bac97f7fb74080e0e66ba17839b8564bb5516b38466dbcb29e0d94f6
-
memory/1952-133-0x0000000000000000-mapping.dmp
-
memory/1952-136-0x00007FF995840000-0x00007FF996276000-memory.dmpFilesize
10.2MB
-
memory/3432-137-0x0000000000000000-mapping.dmp
-
memory/5052-132-0x00007FF995840000-0x00007FF996276000-memory.dmpFilesize
10.2MB