Analysis
-
max time kernel
205s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:00
Behavioral task
behavioral1
Sample
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
Resource
win10v2004-20221111-en
General
-
Target
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe
-
Size
131KB
-
MD5
7172970c5f7feaeefea7dce05c77ec99
-
SHA1
d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
-
SHA256
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
-
SHA512
2140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
SSDEEP
1536:0ypZ/A6HjKnbI66LazSel7tRW03TU4+DW8U2qdbsAqO+064RPT515KE6:bqjnbI7OBYwT+DWZsD0bTT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Download Counter Strike 1.6.0.exepid process 4588 Download Counter Strike 1.6.0.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe -
Drops startup file 2 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe Download Counter Strike 1.6.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\952ab70ddf0342a102f09a13e6367596.exe Download Counter Strike 1.6.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .." Download Counter Strike 1.6.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\952ab70ddf0342a102f09a13e6367596 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Download Counter Strike 1.6.0.exe\" .." Download Counter Strike 1.6.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Download Counter Strike 1.6.0.exepid process 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe 4588 Download Counter Strike 1.6.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Download Counter Strike 1.6.0.exedescription pid process Token: SeDebugPrivilege 4588 Download Counter Strike 1.6.0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exeDownload Counter Strike 1.6.0.exedescription pid process target process PID 4468 wrote to memory of 4588 4468 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 4468 wrote to memory of 4588 4468 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 4468 wrote to memory of 4588 4468 3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe Download Counter Strike 1.6.0.exe PID 4588 wrote to memory of 2284 4588 Download Counter Strike 1.6.0.exe netsh.exe PID 4588 wrote to memory of 2284 4588 Download Counter Strike 1.6.0.exe netsh.exe PID 4588 wrote to memory of 2284 4588 Download Counter Strike 1.6.0.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe"C:\Users\Admin\AppData\Local\Temp\3fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exe" "Download Counter Strike 1.6.0.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exeFilesize
131KB
MD57172970c5f7feaeefea7dce05c77ec99
SHA1d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA2563fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA5122140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
C:\Users\Admin\AppData\Local\Temp\Download Counter Strike 1.6.0.exeFilesize
131KB
MD57172970c5f7feaeefea7dce05c77ec99
SHA1d54ab0a54b0eea89ab205f4eefa3455129a3fcd9
SHA2563fceca06b23324873f12b745a349bdff3567850f40687786c4e4f0aa789efe03
SHA5122140f2fe551c1ec6409d6ccf292e9db02f89ac927d3f706925ed7143df73fe04c3e4ab0759125fd22702e62b1b46b0827168ed4716371b873a9ed2176898ff34
-
memory/2284-139-0x0000000000000000-mapping.dmp
-
memory/4468-132-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/4468-133-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/4468-137-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/4588-134-0x0000000000000000-mapping.dmp
-
memory/4588-138-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/4588-140-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB