Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 17:08
Static task
static1
Behavioral task
behavioral1
Sample
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
Resource
win10v2004-20220812-en
General
-
Target
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe
-
Size
104KB
-
MD5
443a3a821ca830f39343008f40684170
-
SHA1
6daaa1be7e32c9eb4c9263045734f7ee965a0d93
-
SHA256
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b
-
SHA512
99c1d179dc47305e885a7beb839b043a94e388c67573e86f6f9b2483cc1e769b13abedf8e8d3c01ffbfbe9600b7aa8fd7689b074ba08a6b602d9de3014ea48b7
-
SSDEEP
1536:nsxb38MhDn2fmAInL6yId2xdMGfR9TQ2g8cifaxK2jd3psK/OV16PZdpM2KczgBS:nu7nL6K7f3ixF2o9RH5BbtcH2Eq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 864 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exepid process 1104 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.execmd.exedescription pid process target process PID 1104 wrote to memory of 2580 1104 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe cmd.exe PID 1104 wrote to memory of 2580 1104 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe cmd.exe PID 1104 wrote to memory of 2580 1104 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe cmd.exe PID 2580 wrote to memory of 864 2580 cmd.exe tasklist.exe PID 2580 wrote to memory of 864 2580 cmd.exe tasklist.exe PID 2580 wrote to memory of 864 2580 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe"C:\Users\Admin\AppData\Local\Temp\338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 338123329d0cfd1361a219939bc5c7e88cb3eb90bf11106306eab8f92ef79a7b.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken