Analysis
-
max time kernel
206s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 02:16
Static task
static1
Behavioral task
behavioral1
Sample
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe
Resource
win10v2004-20221111-en
General
-
Target
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe
-
Size
874KB
-
MD5
cf19504f60a3c9807efac2d68546e341
-
SHA1
9b85306b753d107b6aebcb6b25b17366df295ebd
-
SHA256
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5
-
SHA512
7b3f56c6be5db7a84b5ead01ad4a672198761df6819b4c7e3800b946ed889fbb1d8745cb653e37b856ddaedf490d1de36fbdd679a866ecc3016d1494e60f3427
-
SSDEEP
12288:w4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaqR9Anq9MmCS:w4lavt0LkLL9IMixoEgeaqRinq9MmCS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
3406.exetext.exepid process 1544 3406.exe 3576 text.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe3406.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 3406.exe -
Drops startup file 2 IoCs
Processes:
text.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03bfd3da23b9ce746a9cdacb3e8222d9.exe text.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03bfd3da23b9ce746a9cdacb3e8222d9.exe text.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
text.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03bfd3da23b9ce746a9cdacb3e8222d9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\text.exe\" .." text.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\03bfd3da23b9ce746a9cdacb3e8222d9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\text.exe\" .." text.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
text.exepid process 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe 3576 text.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
text.exedescription pid process Token: SeDebugPrivilege 3576 text.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe3406.exetext.exedescription pid process target process PID 5004 wrote to memory of 1544 5004 436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe 3406.exe PID 5004 wrote to memory of 1544 5004 436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe 3406.exe PID 5004 wrote to memory of 1544 5004 436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe 3406.exe PID 1544 wrote to memory of 3576 1544 3406.exe text.exe PID 1544 wrote to memory of 3576 1544 3406.exe text.exe PID 1544 wrote to memory of 3576 1544 3406.exe text.exe PID 3576 wrote to memory of 4876 3576 text.exe netsh.exe PID 3576 wrote to memory of 4876 3576 text.exe netsh.exe PID 3576 wrote to memory of 4876 3576 text.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe"C:\Users\Admin\AppData\Local\Temp\436d3357f7a10b54305f1fc83d751681a7f2ced56e8b87dc0f8d20e45ea414d5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\3406\3406.exe"C:\Users\Admin\AppData\Local\Temp\3406\3406.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Roaming\text.exe"C:\Users\Admin\AppData\Roaming\text.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\text.exe" "text.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:4876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3406\3406.exeFilesize
28KB
MD5f2cb40517f296c958053e0d6752d6e66
SHA1d90652c7f3501b898a902be6abec0b52e2abbeee
SHA2562187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267
SHA5127de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59
-
C:\Users\Admin\AppData\Local\Temp\3406\3406.exeFilesize
28KB
MD5f2cb40517f296c958053e0d6752d6e66
SHA1d90652c7f3501b898a902be6abec0b52e2abbeee
SHA2562187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267
SHA5127de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59
-
C:\Users\Admin\AppData\Roaming\text.exeFilesize
28KB
MD5f2cb40517f296c958053e0d6752d6e66
SHA1d90652c7f3501b898a902be6abec0b52e2abbeee
SHA2562187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267
SHA5127de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59
-
C:\Users\Admin\AppData\Roaming\text.exeFilesize
28KB
MD5f2cb40517f296c958053e0d6752d6e66
SHA1d90652c7f3501b898a902be6abec0b52e2abbeee
SHA2562187b8f08b50c9e5d525007f42f8c960ecf6257d0e57d5435b2b61c02c6d9267
SHA5127de89af47e8a4f5d60f88d156767546360715fbe268a12be57ec9227ba24cbcd64dc5a0c85526a743728de4b7f5b91b8736fc49c11a90b8520ecbf51ca8a6d59
-
memory/1544-132-0x0000000000000000-mapping.dmp
-
memory/1544-135-0x0000000072F80000-0x0000000073531000-memory.dmpFilesize
5.7MB
-
memory/1544-139-0x0000000072F80000-0x0000000073531000-memory.dmpFilesize
5.7MB
-
memory/3576-136-0x0000000000000000-mapping.dmp
-
memory/3576-141-0x0000000072F80000-0x0000000073531000-memory.dmpFilesize
5.7MB
-
memory/3576-142-0x0000000072F80000-0x0000000073531000-memory.dmpFilesize
5.7MB
-
memory/4876-140-0x0000000000000000-mapping.dmp