Analysis
-
max time kernel
164s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
Resource
win7-20221111-en
General
-
Target
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
-
Size
561KB
-
MD5
e2edbdf4559a85cd198c10814871a6bc
-
SHA1
6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
-
SHA256
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
-
SHA512
a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
SSDEEP
12288:DHkGcrDdXoIu8YVlGxYl/5ozNfCOQgeYSSZiCJBp:7RciIu8YVlSe/5ozNmYSqi+p
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 4744 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe File opened for modification C:\Windows\assembly\Desktop.ini 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe -
Drops file in Windows directory 3 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exedescription ioc process File opened for modification C:\Windows\assembly 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe File created C:\Windows\assembly\Desktop.ini 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe File opened for modification C:\Windows\assembly\Desktop.ini 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: 33 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: SeIncBasePriorityPrivilege 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: SeDebugPrivilege 4744 Windows Update.exe Token: 33 4744 Windows Update.exe Token: SeIncBasePriorityPrivilege 4744 Windows Update.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exedescription pid process target process PID 1072 wrote to memory of 4744 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 1072 wrote to memory of 4744 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 1072 wrote to memory of 4744 1072 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD52604d7ffddc312ead7c9c41be977afe8
SHA1c7c7658bd8d4da6a3737d5bfaa4607d22ec44e53
SHA25632d557da5c5805f32d343689da4fdadadc887c6a95e1a099883ce9694d501c49
SHA5122812c90efb8305df394b8771fb95bec938893726192aa25272dc5afb6ec2d2ab2c5eb087da26130c2740db9f6890469392f1f55639a2624179b0c97e01981c1b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
memory/1072-132-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/1072-133-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/1072-138-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/4744-134-0x0000000000000000-mapping.dmp
-
memory/4744-137-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/4744-139-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB