Analysis
-
max time kernel
319s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
Resource
win10v2004-20221111-en
General
-
Target
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe
-
Size
849KB
-
MD5
bf350cf4757a520127a3e6de80b76754
-
SHA1
a74f40b3ad24b2c48b32c0fb76a57dec2c212ce9
-
SHA256
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93
-
SHA512
b5eded250ae4fa4edca09b6a9512dc5eb302fa1f17e89de4116fac032207437b5069bac621016ddb7b0410fae01f3bc8086720044840d9e44adadfcb63df9894
-
SSDEEP
24576:Ws7TqIBdD9hOxSxo0k+HqYkQ0TLRhbqMS8F:Ws7TVOl0k+kVRhGm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\SunJava\\JavaUpdata.exe" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -rundll32 /SYSTEM32 \"C:\\Windows\\System32\\taskmgr.exe\" \"C:\\Program Files\\Microsoft\\Windows\"" faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exedescription pid process target process PID 2064 set thread context of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exedescription pid process Token: SeDebugPrivilege 1036 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.execmd.exedescription pid process target process PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 1036 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe PID 2064 wrote to memory of 4364 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe cmd.exe PID 2064 wrote to memory of 4364 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe cmd.exe PID 2064 wrote to memory of 4364 2064 faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe cmd.exe PID 4364 wrote to memory of 1464 4364 cmd.exe reg.exe PID 4364 wrote to memory of 1464 4364 cmd.exe reg.exe PID 4364 wrote to memory of 1464 4364 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"C:\Users\Admin\AppData\Local\Temp\faeee77c30327f57740e4f629631bfed46e70e68ed2ed09186433de9cd252a93.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"3⤵
- Modifies WinLogon for persistence
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1036-133-0x0000000000000000-mapping.dmp
-
memory/1036-134-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1036-138-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/1464-136-0x0000000000000000-mapping.dmp
-
memory/2064-132-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/2064-137-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/4364-135-0x0000000000000000-mapping.dmp