Analysis
-
max time kernel
244s -
max time network
250s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Resource
win10v2004-20221111-en
General
-
Target
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
-
Size
542KB
-
MD5
71cdb19d4759e7e0a29701c6b4049eab
-
SHA1
f68856c3daf7456f9d9de83c41f1d7cbed7bfb88
-
SHA256
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b
-
SHA512
782c5ea2063c3554b09d7a5649100cbe508b57a8012bb8e74b2bcf8d59c1ad372414303c1e5fbb13a6749e0154099adf5b992c9f36a24bba7e0a41c3d83a2bcf
-
SSDEEP
12288:Qmcfuqg3FMvRQ0u9AxObQWES0uRLOQ2NYgTM9kHqHxRK7ldV/G:iSMvqAQbQWWQSnjaWln
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
E49B.tmppid process 724 E49B.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exepid process 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 3992 cmd.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
E49B.tmpExplorer.EXEdescription pid process Token: SeDebugPrivilege 724 E49B.tmp Token: SeShutdownPrivilege 2396 Explorer.EXE Token: SeCreatePagefilePrivilege 2396 Explorer.EXE Token: SeShutdownPrivilege 2396 Explorer.EXE Token: SeCreatePagefilePrivilege 2396 Explorer.EXE Token: SeShutdownPrivilege 2396 Explorer.EXE Token: SeCreatePagefilePrivilege 2396 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2396 Explorer.EXE 2396 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.execmd.exeE49B.tmpdescription pid process target process PID 2400 wrote to memory of 3992 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 2400 wrote to memory of 3992 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 2400 wrote to memory of 3992 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe cmd.exe PID 3992 wrote to memory of 2984 3992 cmd.exe reg.exe PID 3992 wrote to memory of 2984 3992 cmd.exe reg.exe PID 3992 wrote to memory of 2984 3992 cmd.exe reg.exe PID 3992 wrote to memory of 4496 3992 cmd.exe reg.exe PID 3992 wrote to memory of 4496 3992 cmd.exe reg.exe PID 3992 wrote to memory of 4496 3992 cmd.exe reg.exe PID 2400 wrote to memory of 724 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe E49B.tmp PID 2400 wrote to memory of 724 2400 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe E49B.tmp PID 724 wrote to memory of 2396 724 E49B.tmp Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe"C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\E49B.tmp"C:\Users\Admin\AppData\Local\Temp\E49B.tmp" 2396 "C:\Users\Admin\AppData\Roaming\Microsoft\mnplays.dll"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E49B.tmpFilesize
40KB
MD5f653b520294fb0a739d38c0e85b2aae2
SHA1a29ef1f7b39736ee7afd3c7f3a66526c070ea12e
SHA25666f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f
SHA5129a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4
-
C:\Users\Admin\AppData\Local\Temp\E49B.tmpFilesize
40KB
MD5f653b520294fb0a739d38c0e85b2aae2
SHA1a29ef1f7b39736ee7afd3c7f3a66526c070ea12e
SHA25666f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f
SHA5129a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4
-
C:\Users\Admin\AppData\Local\Temp\update.batFilesize
697B
MD580eed3f72464a050a3ce772013c136cc
SHA1ed1a534fd5e6428e1b26f4ae6e04594c79cff93d
SHA256997fcefd41f125dd389dc9dee0843141e759ae5f733c2d6edb25f9f4faebff06
SHA51234bf9db75770892e05e4c5d6f096da5f6930939b3e9dc1215506c3581c0cb6b57da2fca8b729396eef3befa1ec22124e832095436e16cf30644c2d289a7e06d5
-
memory/724-136-0x0000000000000000-mapping.dmp
-
memory/2984-134-0x0000000000000000-mapping.dmp
-
memory/3992-132-0x0000000000000000-mapping.dmp
-
memory/4496-135-0x0000000000000000-mapping.dmp