Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe
Resource
win10v2004-20221111-en
General
-
Target
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe
-
Size
683KB
-
MD5
7c63776d07a39aac19600d15abeec0ac
-
SHA1
64213eb74eb8793f014cf0e52b26f7373d5e32f1
-
SHA256
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404
-
SHA512
0e466c95297b3fc587cc13c83f989f1d64e4bd065f2e9d1beca49071865e144f229ecf32f2c76292b27cd9eaa06ff188499012fdfec3b1967afcebff4f98a0b3
-
SSDEEP
12288:+MlybpQTJ17OtqDkyJfXCdj6kD4Y8akRcCbmwKqgTt/:nRJ1isfFSdPDr8ak3mwKqgTN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java(TM) Platform SE Auto Executer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Java\\jusched.exe.lnk" reg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exedescription ioc process File created C:\Windows\assembly\Desktop.ini f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe File opened for modification C:\Windows\assembly\Desktop.ini f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exedescription pid process target process PID 4848 set thread context of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Drops file in Windows directory 3 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exedescription ioc process File opened for modification C:\Windows\assembly f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe File created C:\Windows\assembly\Desktop.ini f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe File opened for modification C:\Windows\assembly\Desktop.ini f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exepid process 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exepid process 3216 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exef210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exedescription pid process Token: SeDebugPrivilege 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe Token: SeDebugPrivilege 3216 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exepid process 3216 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.execmd.exedescription pid process target process PID 4848 wrote to memory of 5108 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe cmd.exe PID 4848 wrote to memory of 5108 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe cmd.exe PID 4848 wrote to memory of 5108 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe cmd.exe PID 5108 wrote to memory of 4252 5108 cmd.exe reg.exe PID 5108 wrote to memory of 4252 5108 cmd.exe reg.exe PID 5108 wrote to memory of 4252 5108 cmd.exe reg.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe PID 4848 wrote to memory of 3216 4848 f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe"C:\Users\Admin\AppData\Local\Temp\f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Java(TM) Platform SE Auto Executer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Java\jusched.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Java(TM) Platform SE Auto Executer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Java\jusched.exe.lnk"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe"C:\Users\Admin\AppData\Local\Temp\f210373e0eef030d2715eb802466944a88025cfd0710dbb39cc4f12df1dd2404.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3216-136-0x0000000000000000-mapping.dmp
-
memory/3216-137-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3216-138-0x0000000074750000-0x0000000074D01000-memory.dmpFilesize
5.7MB
-
memory/3216-139-0x0000000074750000-0x0000000074D01000-memory.dmpFilesize
5.7MB
-
memory/4252-135-0x0000000000000000-mapping.dmp
-
memory/4848-132-0x0000000074750000-0x0000000074D01000-memory.dmpFilesize
5.7MB
-
memory/4848-133-0x0000000074750000-0x0000000074D01000-memory.dmpFilesize
5.7MB
-
memory/5108-134-0x0000000000000000-mapping.dmp