Analysis
-
max time kernel
171s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe
Resource
win10v2004-20221111-en
General
-
Target
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe
-
Size
161KB
-
MD5
cdca5c2f6adee7877267a484e678129d
-
SHA1
fea0976eda49d5bb5705e88b5ea644e7bc2ba6fc
-
SHA256
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df
-
SHA512
4d8a16077417a1ae254d9389dd64f860a7bb39456d93691af8a3f69ab24d08c1e0ec2d14a812977e94d637f1bbf080f8c4a9eeecef9f07d536345bf27a8c95bb
-
SSDEEP
3072:XzdPwJi53LPVGzvLrzlVtxJXvZP/+1UtgfMUNepZ3E3+E1rLsiXGYEvoz:XVQilLPVGTLrJDxBZ+uoMaco+EJsi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Trojan.exepid process 2124 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe -
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Drops file in Windows directory 2 IoCs
Processes:
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new 07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new 07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Trojan.exepid process 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe 2124 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 2124 Trojan.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exeTrojan.exedescription pid process target process PID 4468 wrote to memory of 2124 4468 07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe Trojan.exe PID 4468 wrote to memory of 2124 4468 07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe Trojan.exe PID 2124 wrote to memory of 460 2124 Trojan.exe netsh.exe PID 2124 wrote to memory of 460 2124 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe"C:\Users\Admin\AppData\Local\Temp\07620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD5cdca5c2f6adee7877267a484e678129d
SHA1fea0976eda49d5bb5705e88b5ea644e7bc2ba6fc
SHA25607620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df
SHA5124d8a16077417a1ae254d9389dd64f860a7bb39456d93691af8a3f69ab24d08c1e0ec2d14a812977e94d637f1bbf080f8c4a9eeecef9f07d536345bf27a8c95bb
-
Filesize
161KB
MD5cdca5c2f6adee7877267a484e678129d
SHA1fea0976eda49d5bb5705e88b5ea644e7bc2ba6fc
SHA25607620c35c632e3efdea1a6c27eed8c34c0784733a6217b7de67ee0a0e65156df
SHA5124d8a16077417a1ae254d9389dd64f860a7bb39456d93691af8a3f69ab24d08c1e0ec2d14a812977e94d637f1bbf080f8c4a9eeecef9f07d536345bf27a8c95bb