Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
Resource
win10v2004-20220812-en
General
-
Target
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe
-
Size
1.3MB
-
MD5
583b5a81dcfd0874e7143cd8afeb00ca
-
SHA1
34de7fee57a3031cf1fcf06b08676a8ef6ec618e
-
SHA256
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511
-
SHA512
4a691ffefa1b568803fadd348a305b5bbd3d2334e239161ef1dcb065be2a81513d03a9b57632f32a0e53cf71ef1f2a3aed3ea8fb24e2ed3dfd110c93681a7c42
-
SSDEEP
24576:AVnys45NP7/uDG4w1K7/+tNdBZyf/t5chYdru8tGtx/NH6tObd3/poiJHvQtM+:Bs4X7iG4hqtNPY5caNC/NEO1WTf
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
h.exeGoogle.exeODIN3V~1.EXEpid process 5064 h.exe 4904 Google.exe 2264 ODIN3V~1.EXE -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
h.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation h.exe -
Drops startup file 2 IoCs
Processes:
Google.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2db97f87111f590c0aecc4ee6a32b917.exe Google.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2db97f87111f590c0aecc4ee6a32b917.exe Google.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exeGoogle.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2db97f87111f590c0aecc4ee6a32b917 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google.exe\" .." Google.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2db97f87111f590c0aecc4ee6a32b917 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google.exe\" .." Google.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
h.exeGoogle.exedescription pid process Token: SeDebugPrivilege 5064 h.exe Token: SeDebugPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe Token: 33 4904 Google.exe Token: SeIncBasePriorityPrivilege 4904 Google.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ODIN3V~1.EXEpid process 2264 ODIN3V~1.EXE 2264 ODIN3V~1.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exeh.exeGoogle.exedescription pid process target process PID 4824 wrote to memory of 5064 4824 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe h.exe PID 4824 wrote to memory of 5064 4824 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe h.exe PID 5064 wrote to memory of 4904 5064 h.exe Google.exe PID 5064 wrote to memory of 4904 5064 h.exe Google.exe PID 4824 wrote to memory of 2264 4824 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 4824 wrote to memory of 2264 4824 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 4824 wrote to memory of 2264 4824 55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe ODIN3V~1.EXE PID 4904 wrote to memory of 1504 4904 Google.exe netsh.exe PID 4904 wrote to memory of 1504 4904 Google.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe"C:\Users\Admin\AppData\Local\Temp\55738468fb67f43c712a8a12d756ae0c0f59851829fc431b1bb64c05b1cb5511.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Roaming\Google.exe"C:\Users\Admin\AppData\Roaming\Google.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Google.exe" "Google.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXEFilesize
3.1MB
MD59f648eb7a02ad92596b9db897dc8eb8a
SHA17a09eaf50e540302b33a3dfe572b1a92958f5a42
SHA25642f9e3a2562b2f115ec0be0da6368f16ac38f26d39b3147be3ccae635b303135
SHA51251eff5451da92ff03a490ea55f6328a2b2e4438d603b05296fd5852b71ff324656b51f92424ed41e435fad71b1ec0b7f396a70bfc0ef5e5b504454d74ec6f97f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODIN3V~1.EXEFilesize
3.1MB
MD59f648eb7a02ad92596b9db897dc8eb8a
SHA17a09eaf50e540302b33a3dfe572b1a92958f5a42
SHA25642f9e3a2562b2f115ec0be0da6368f16ac38f26d39b3147be3ccae635b303135
SHA51251eff5451da92ff03a490ea55f6328a2b2e4438d603b05296fd5852b71ff324656b51f92424ed41e435fad71b1ec0b7f396a70bfc0ef5e5b504454d74ec6f97f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Roaming\Google.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
C:\Users\Admin\AppData\Roaming\Google.exeFilesize
71KB
MD55ab64fabc2c9b181d957e5bf4d6f5761
SHA18edc42a975cad9a6b9506effe3bd8a9c51ee8d83
SHA256377b3509c1ea713162798f2fd3966e3614aa8610e21abf5095798baf9f92f528
SHA51226aff1ed43e31b00c7ae51aaca1472876a25411dc79e8e7ed92e90514d41449fa2ac8ab760c2619f36d129b2826d63f67e9639aee12a5e64e83e555df34fed9e
-
memory/1504-146-0x0000000000000000-mapping.dmp
-
memory/2264-141-0x0000000000000000-mapping.dmp
-
memory/4904-137-0x0000000000000000-mapping.dmp
-
memory/4904-144-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/4904-145-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/5064-140-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/5064-132-0x0000000000000000-mapping.dmp
-
memory/5064-136-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/5064-135-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB