Analysis
-
max time kernel
162s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
24-11-2022 09:50
General
-
Target
f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba.exe
-
Size
185KB
-
MD5
87da96422cbb87d1d5dddf3020bdf113
-
SHA1
ace3f2d581e2f0467c81701624db41097624e3e6
-
SHA256
f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
-
SHA512
8bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
SSDEEP
1536:uXFdueBTNWCTQ/kZaEGLU+D7lDAj/70+ZdD7TB1LW7ecPL1k3Urrrrh:kdlBTwCT2kZaED+DJYjNZlB14BOA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Executes dropped EXE 9 IoCs
-
Sets service image path in registry 2 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba.exe"C:\Users\Admin\AppData\Local\Temp\f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba.exe"C:\Users\Admin\AppData\Local\Temp\f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wd.exe"C:\Users\Admin\AppData\Roaming\wd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wd.exe"C:\Users\Admin\AppData\Roaming\wd.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Services\symgr.exe"C:\Program Files (x86)\Microsoft Services\symgr.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wd.exe"C:\Users\Admin\AppData\Roaming\wd.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 17848⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 17285⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
500B
MD5316b893cb8d745c9eef9570036c8b3ca
SHA1cbc6946021df5209ea26e10d001e7b147d2b93c6
SHA256f6914cb6b6ac49145bd1bd2bd2339ae0cbfedfdee06ff692ed87619ce4c5b945
SHA512ae09efc1870ba009c9c458ad48e755a2bc76a2338800eeaffc672c1b81700294cc646378b9597e02d7dac170c4ad0752eb969a7d567e1c913390401c69978ec8
-
Filesize
680B
MD50dd5377429a57612efdc15a9cfe56267
SHA190437bbacde93bbe5e2808b801ed843db186babd
SHA25698b015fece99228b9447afb9f427cd63be8415da0256b12dcfb9ed1f3b8a0d14
SHA512678b0daf543f08eeb17c7b4b575eab6e3002c08c53fea2ab6218c23f1c26aa2a5dcf7e2e54c3dc22ca74afcb9a92bdf801feeca0fbf7de1c852c93aeefca5fc5
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
6KB
MD58958d73eee15ff6566a97afb119b41d6
SHA1f43d25ad3a587746108d2863c97512d7f15ce0b2
SHA256a4897d3b6ab56138ece84246e7635df1c71adf900fedeaf9a724dac4bc17d4bd
SHA512ca9d48cf490fbc7fec8d1814023cc5ca3b6a12a97165fb57781b72bf5211865c68468b16b223ae2495a472d713b95a544a357d199efff861f5ee390dbf16f255
-
Filesize
185KB
MD587da96422cbb87d1d5dddf3020bdf113
SHA1ace3f2d581e2f0467c81701624db41097624e3e6
SHA256f9ca96cb7a06f5aef062c233e4059201d84c27011e6bef3da291c46d118e67ba
SHA5128bdeb2df947aca2f321c8949c22b41a324ef0ea40fb7d2167246eb99e0a0d5d87e827578cc2277f9d5bea36ad7d23a61e0b1d2dbb152ccd5a2f5371bdecb5b75
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
80KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB