Analysis
-
max time kernel
144s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 16:39
Static task
static1
Behavioral task
behavioral1
Sample
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe
Resource
win10v2004-20220812-en
General
-
Target
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe
-
Size
36KB
-
MD5
66dfb7d761739f6262e8eb17e2ff789b
-
SHA1
2fb1aebcc10d1dca2d6bc806d445bb25e6141fb1
-
SHA256
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169
-
SHA512
65583c58412b41b7f7af822ca40d5dd6856cd1ed1873e8afbe3f80648311b92d61431a1d4d270098a148562e7e04a77f26328c8ffbb48d146c7caacb51a4607b
-
SSDEEP
768:M6Qf5vKoOwfgMqF+qNUQrDjzyRfPEt2PN:M6Qf5vKoOwfrxqNUQr/zI8e
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chromium = "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\"" f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe -
Drops file in Windows directory 3 IoCs
Processes:
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exedescription ioc process File created C:\Windows\dwmvs.exe f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe File created C:\Windows\tplmk.exe f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe File created C:\Windows\Interop.IWshRuntimeLibrary.dll f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exedescription pid process Token: SeDebugPrivilege 2032 f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe"C:\Users\Admin\AppData\Local\Temp\f9e17c15bcd70bbdc2eb40e4015caf39fccedbe348aba1f8c050a175695bf169.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken