Analysis
-
max time kernel
239s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
Resource
win10v2004-20221111-en
General
-
Target
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe
-
Size
145KB
-
MD5
bac14564d1bc1337b43ef99a788dfd89
-
SHA1
5ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
-
SHA256
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
-
SHA512
58b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
SSDEEP
1536:M/21Q2fgdkH38Aas6hDkUDR3UNjOndXbkqAIBnI47Qz8PLsh7mpPey8X74Fk/5AB:M/2Q2TsvVtPXPKzb75FxpuH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
root.exepid process 4808 root.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe -
Drops startup file 2 IoCs
Processes:
root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4351e78b5e7521973848f1555ec2c00.exe root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f4351e78b5e7521973848f1555ec2c00.exe root.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4351e78b5e7521973848f1555ec2c00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\root.exe\" .." root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f4351e78b5e7521973848f1555ec2c00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\root.exe\" .." root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
root.exepid process 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe 4808 root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
root.exedescription pid process Token: SeDebugPrivilege 4808 root.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exeroot.exedescription pid process target process PID 1824 wrote to memory of 4808 1824 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 1824 wrote to memory of 4808 1824 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 1824 wrote to memory of 4808 1824 4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe root.exe PID 4808 wrote to memory of 4932 4808 root.exe netsh.exe PID 4808 wrote to memory of 4932 4808 root.exe netsh.exe PID 4808 wrote to memory of 4932 4808 root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe"C:\Users\Admin\AppData\Local\Temp\4d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\root.exe"C:\Users\Admin\AppData\Local\Temp\root.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\root.exe" "root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\root.exeFilesize
145KB
MD5bac14564d1bc1337b43ef99a788dfd89
SHA15ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
SHA2564d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
SHA51258b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
C:\Users\Admin\AppData\Local\Temp\root.exeFilesize
145KB
MD5bac14564d1bc1337b43ef99a788dfd89
SHA15ae6bb3b4abe5a3daa29c66a4ff8d6eb3c57eb11
SHA2564d5d87628bf49e4116edd68d7024155e66df993e91c6d0f41cce0c12c14662fb
SHA51258b8e2c961fa830b4b5b287cfcfcab3e3daee06d0a1b56f2d157de1c6e2b6f9ea02b79e3c36d14fc42369546181ed5141c0b55f4ce99e076b049f057e1c8e509
-
memory/1824-132-0x0000000000EE0000-0x0000000000F0C000-memory.dmpFilesize
176KB
-
memory/1824-133-0x0000000005860000-0x00000000058FC000-memory.dmpFilesize
624KB
-
memory/1824-134-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/1824-135-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/1824-136-0x0000000005960000-0x000000000596A000-memory.dmpFilesize
40KB
-
memory/1824-137-0x0000000005BC0000-0x0000000005C16000-memory.dmpFilesize
344KB
-
memory/4808-138-0x0000000000000000-mapping.dmp
-
memory/4932-141-0x0000000000000000-mapping.dmp