Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe
Resource
win10v2004-20220901-en
General
-
Target
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe
-
Size
177KB
-
MD5
adad59681c52a7e1490d8b72457028fb
-
SHA1
821080dd77cb2b682be93e4ec879dcdf8a47872b
-
SHA256
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66
-
SHA512
f6b715246cb77f495f472109b5cb7c90645d6ed26caddf8fbe74e72066a7608d22f3f213c719208c06d7711364f2e40073ecf68acdc36218826b9fbe096bbfe7
-
SSDEEP
1536:uWUHZK25eW9V9ge1EBjyO3lg7yZ/nzzGyQCAhtwjIVhmroF:udHZK2jEe1Ej4mPzay8YjIbmMF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2876 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e31aa78d88f8a182bda22b927d269aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e31aa78d88f8a182bda22b927d269aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe Token: 33 2876 server.exe Token: SeIncBasePriorityPrivilege 2876 server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exeserver.exedescription pid process target process PID 2340 wrote to memory of 2876 2340 a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe server.exe PID 2340 wrote to memory of 2876 2340 a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe server.exe PID 2876 wrote to memory of 4692 2876 server.exe netsh.exe PID 2876 wrote to memory of 4692 2876 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe"C:\Users\Admin\AppData\Local\Temp\a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
177KB
MD5adad59681c52a7e1490d8b72457028fb
SHA1821080dd77cb2b682be93e4ec879dcdf8a47872b
SHA256a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66
SHA512f6b715246cb77f495f472109b5cb7c90645d6ed26caddf8fbe74e72066a7608d22f3f213c719208c06d7711364f2e40073ecf68acdc36218826b9fbe096bbfe7
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
177KB
MD5adad59681c52a7e1490d8b72457028fb
SHA1821080dd77cb2b682be93e4ec879dcdf8a47872b
SHA256a4fee83713aa0aa22099e7531d1e875eaa3f3e2b7e921721b79c5a68511d8b66
SHA512f6b715246cb77f495f472109b5cb7c90645d6ed26caddf8fbe74e72066a7608d22f3f213c719208c06d7711364f2e40073ecf68acdc36218826b9fbe096bbfe7
-
memory/2340-132-0x00007FF9C5C50000-0x00007FF9C6686000-memory.dmpFilesize
10.2MB
-
memory/2876-133-0x0000000000000000-mapping.dmp
-
memory/2876-136-0x00007FF9C5C50000-0x00007FF9C6686000-memory.dmpFilesize
10.2MB
-
memory/4692-137-0x0000000000000000-mapping.dmp