Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 16:46
Static task
static1
Behavioral task
behavioral1
Sample
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Resource
win10v2004-20220901-en
General
-
Target
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
-
Size
568KB
-
MD5
0eaee80c6c081e6bd04d5126467f007c
-
SHA1
cffb2257aab9868c7b2d71462d4cdc3ae1e55a97
-
SHA256
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136
-
SHA512
6333efcceb377cdf557d3b4f9c5a8ec5430052f95a633786dde941f525b04750f61f511bf7c3f64ca88526b87ef68d9447e9eb9783b9956b5fe13b0f87b10bd5
-
SSDEEP
12288:xiQobmPYDqHinL62tFl1GwH5Gf2RwugAbYqBgROjqNOTOXZ1CHL8ifYw2td7kK:xbVYOinLnN1HGf2Jb3gRhjMxYwIIK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
3EAB.tmppid process 4404 3EAB.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll" reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exepid process 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 980 Explorer.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 2328 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
3EAB.tmpExplorer.EXEdescription pid process Token: SeDebugPrivilege 4404 3EAB.tmp Token: SeShutdownPrivilege 980 Explorer.EXE Token: SeCreatePagefilePrivilege 980 Explorer.EXE Token: SeShutdownPrivilege 980 Explorer.EXE Token: SeCreatePagefilePrivilege 980 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.execmd.exe3EAB.tmpdescription pid process target process PID 2044 wrote to memory of 2328 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe cmd.exe PID 2044 wrote to memory of 2328 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe cmd.exe PID 2044 wrote to memory of 2328 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe cmd.exe PID 2328 wrote to memory of 4360 2328 cmd.exe reg.exe PID 2328 wrote to memory of 4360 2328 cmd.exe reg.exe PID 2328 wrote to memory of 4360 2328 cmd.exe reg.exe PID 2328 wrote to memory of 4464 2328 cmd.exe reg.exe PID 2328 wrote to memory of 4464 2328 cmd.exe reg.exe PID 2328 wrote to memory of 4464 2328 cmd.exe reg.exe PID 2044 wrote to memory of 4404 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe 3EAB.tmp PID 2044 wrote to memory of 4404 2044 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe 3EAB.tmp PID 4404 wrote to memory of 980 4404 3EAB.tmp Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe"C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v RunUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\3EAB.tmp"C:\Users\Admin\AppData\Local\Temp\3EAB.tmp" 980 "C:\Users\Admin\AppData\Roaming\Microsoft\nnutil32.dll"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3EAB.tmpFilesize
40KB
MD5bd8006863eec2250b2727c714f0edfa7
SHA1f689dcf31b552da3007a76908a37077396cdcac2
SHA256bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668
SHA512e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c
-
C:\Users\Admin\AppData\Local\Temp\3EAB.tmpFilesize
40KB
MD5bd8006863eec2250b2727c714f0edfa7
SHA1f689dcf31b552da3007a76908a37077396cdcac2
SHA256bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668
SHA512e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c
-
C:\Users\Admin\AppData\Local\Temp\update.batFilesize
710B
MD53f377ebb87b762d0695633a650fb5372
SHA12f17d72d5bc864674fecd4d9432090c5b8661df5
SHA2562ab976fb689e6ea1a7f44134894d5c8c7148cf81a32bb470939f1a7391c88f92
SHA512f30f2257faf65f61b419d6cd97bc603301db973b002c4fdf07920576418d91a456cf2071f5cdfcf9b60ece7dea95285c3af9d04855a142a66193c3e853e5c065
-
memory/980-139-0x00000000030E0000-0x00000000030F0000-memory.dmpFilesize
64KB
-
memory/980-140-0x0000000002FF0000-0x0000000003000000-memory.dmpFilesize
64KB
-
memory/980-141-0x0000000003000000-0x0000000003010000-memory.dmpFilesize
64KB
-
memory/980-142-0x0000000003000000-0x0000000003010000-memory.dmpFilesize
64KB
-
memory/2328-132-0x0000000000000000-mapping.dmp
-
memory/4360-134-0x0000000000000000-mapping.dmp
-
memory/4404-136-0x0000000000000000-mapping.dmp
-
memory/4464-135-0x0000000000000000-mapping.dmp