Analysis
-
max time kernel
184s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
Resource
win7-20221111-en
General
-
Target
9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
-
Size
1.9MB
-
MD5
456952d17c871d449afafcce12d7baa1
-
SHA1
0518c5d91c0a8873d5dd81f9d2866168eef07745
-
SHA256
9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe
-
SHA512
d45bcc6b0c7dbcef7aa40d600006814fd964ef766a1cfd577f9c336f45cd60f4b102059dafecc74822258998f00fb7201cbb9a648027d01826ff154159af8d06
-
SSDEEP
49152:b1dlZoFnxOIjuDBhqcTVSSrelkkSeWavYzlM0Rdsh5XI:b1dl2FnxOIjuDBhqcxPeTSe7n0RuPI
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Server.exeTrojan.exeprocesshacker-2.33-setup.exeprocesshacker-2.33-setup.tmppid process 4052 Server.exe 3496 Trojan.exe 3636 processhacker-2.33-setup.exe 2776 processhacker-2.33-setup.tmp -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exeprocesshacker-2.33-setup.exedescription pid process target process PID 4284 wrote to memory of 4052 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe Server.exe PID 4284 wrote to memory of 4052 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe Server.exe PID 4284 wrote to memory of 4052 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe Server.exe PID 4052 wrote to memory of 3496 4052 Server.exe Trojan.exe PID 4052 wrote to memory of 3496 4052 Server.exe Trojan.exe PID 4052 wrote to memory of 3496 4052 Server.exe Trojan.exe PID 4284 wrote to memory of 3636 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe processhacker-2.33-setup.exe PID 4284 wrote to memory of 3636 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe processhacker-2.33-setup.exe PID 4284 wrote to memory of 3636 4284 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe processhacker-2.33-setup.exe PID 3636 wrote to memory of 2776 3636 processhacker-2.33-setup.exe processhacker-2.33-setup.tmp PID 3636 wrote to memory of 2776 3636 processhacker-2.33-setup.exe processhacker-2.33-setup.tmp PID 3636 wrote to memory of 2776 3636 processhacker-2.33-setup.exe processhacker-2.33-setup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe"C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Extracted\Server.exe"C:\Extracted\Server.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Trojan.exe"C:\Users\Admin\AppData\Roaming\Trojan.exe"3⤵
- Executes dropped EXE
-
C:\Extracted\processhacker-2.33-setup.exe"C:\Extracted\processhacker-2.33-setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp" /SL5="$320044,1547810,150016,C:\Extracted\processhacker-2.33-setup.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Extracted\Server.exeFilesize
28KB
MD56583b4229e56bc11b5dc9e9b37d0b941
SHA132c38225f22053381da5994cea08bd3b7c74d942
SHA256a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc
SHA51255c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669
-
C:\Extracted\Server.exeFilesize
28KB
MD56583b4229e56bc11b5dc9e9b37d0b941
SHA132c38225f22053381da5994cea08bd3b7c74d942
SHA256a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc
SHA51255c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669
-
C:\Extracted\processhacker-2.33-setup.exeFilesize
1.8MB
MD5f7c77350aef13278213e70b5fd6fb017
SHA1f328286bdf529e3905e8098b8d7558f974d9293c
SHA256cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4
SHA512444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d
-
C:\Extracted\processhacker-2.33-setup.exeFilesize
1.8MB
MD5f7c77350aef13278213e70b5fd6fb017
SHA1f328286bdf529e3905e8098b8d7558f974d9293c
SHA256cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4
SHA512444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d
-
C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmpFilesize
781KB
MD5e1d5cd3916914641ec3a04e85dfaa1f7
SHA15e3298ce1c2ce613fe51b502d997962033d96751
SHA256799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73
SHA51215feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894
-
C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmpFilesize
781KB
MD5e1d5cd3916914641ec3a04e85dfaa1f7
SHA15e3298ce1c2ce613fe51b502d997962033d96751
SHA256799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73
SHA51215feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894
-
C:\Users\Admin\AppData\Roaming\Trojan.exeFilesize
28KB
MD56583b4229e56bc11b5dc9e9b37d0b941
SHA132c38225f22053381da5994cea08bd3b7c74d942
SHA256a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc
SHA51255c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669
-
C:\Users\Admin\AppData\Roaming\Trojan.exeFilesize
28KB
MD56583b4229e56bc11b5dc9e9b37d0b941
SHA132c38225f22053381da5994cea08bd3b7c74d942
SHA256a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc
SHA51255c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669
-
memory/2776-149-0x0000000000000000-mapping.dmp
-
memory/3496-142-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/3496-140-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/3496-137-0x0000000000000000-mapping.dmp
-
memory/3636-143-0x0000000000000000-mapping.dmp
-
memory/3636-146-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3636-148-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3636-152-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4052-132-0x0000000000000000-mapping.dmp
-
memory/4052-141-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/4052-136-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/4052-135-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB