Analysis
-
max time kernel
204s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
Resource
win10v2004-20221111-en
General
-
Target
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe
-
Size
207KB
-
MD5
1dd570fecefd5c56cb21ed7ee72c8b41
-
SHA1
0fb3a84783f1342cc68afa053961f16d1280ea6e
-
SHA256
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
-
SHA512
ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
SSDEEP
3072:m9Va9YHpRXusg+nNAxL70OUizr1QtrXvtQo+r+D2fL5rC63Q77NOmYZAWkdJqxLu:Hf9dQ7JQ3kdM/9ikg/8KJnz8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 3440 explorer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe -
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
explorer.exepid process 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 3440 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exeexplorer.exedescription pid process target process PID 1412 wrote to memory of 3440 1412 c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe explorer.exe PID 1412 wrote to memory of 3440 1412 c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe explorer.exe PID 3440 wrote to memory of 1644 3440 explorer.exe netsh.exe PID 3440 wrote to memory of 1644 3440 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe"C:\Users\Admin\AppData\Local\Temp\c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
207KB
MD51dd570fecefd5c56cb21ed7ee72c8b41
SHA10fb3a84783f1342cc68afa053961f16d1280ea6e
SHA256c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
SHA512ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
207KB
MD51dd570fecefd5c56cb21ed7ee72c8b41
SHA10fb3a84783f1342cc68afa053961f16d1280ea6e
SHA256c4a0d874ecbaf3865c3907f3fbd89014b5953cb9d5c8ca69a72c1a83e2143e96
SHA512ff9ebebb8bb2e8ee414477dff5a95542dc5d8ba25c63c1c2c45adac6ecfd9bfbe08e8bf32c564fa30601a2e4ae02f6f017ae0491383740a11d778e4d3e2a3589
-
memory/1412-133-0x00007FFEAEBA0000-0x00007FFEAF5D6000-memory.dmpFilesize
10.2MB
-
memory/1644-138-0x0000000000000000-mapping.dmp
-
memory/3440-134-0x0000000000000000-mapping.dmp
-
memory/3440-137-0x00007FFEAEBA0000-0x00007FFEAF5D6000-memory.dmpFilesize
10.2MB