Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:04
Static task
static1
Behavioral task
behavioral1
Sample
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe
Resource
win10v2004-20220901-en
General
-
Target
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe
-
Size
275KB
-
MD5
a04ef23cda6a621fd38ecfd1c2de2384
-
SHA1
a20a78c1c10513aef456d34703731314210d241e
-
SHA256
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727
-
SHA512
c9ca0c9d857287e2f22248b2a53e0c444cc8b886b10722d065ed6557c381849dc9c967f44f56223f37fd8cce350193358c5b4e2b5260f37a8a8cc385ebb1c0a8
-
SSDEEP
6144:XXjQ8bjPW6po9Hy7iH8LqDuddvmeF9uXkXIqz:njQu7pOWiH8XO2uX+/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pic.exepid process 1432 pic.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pic.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b683b76dd2c5913149c040288bee4f46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\pic.exe\" .." pic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b683b76dd2c5913149c040288bee4f46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\pic.exe\" .." pic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
pic.exepid process 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe 1432 pic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pic.exedescription pid process Token: SeDebugPrivilege 1432 pic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exepic.exedescription pid process target process PID 4916 wrote to memory of 1432 4916 7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe pic.exe PID 4916 wrote to memory of 1432 4916 7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe pic.exe PID 4916 wrote to memory of 1432 4916 7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe pic.exe PID 1432 wrote to memory of 4556 1432 pic.exe netsh.exe PID 1432 wrote to memory of 4556 1432 pic.exe netsh.exe PID 1432 wrote to memory of 4556 1432 pic.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe"C:\Users\Admin\AppData\Local\Temp\7d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pic.exe"C:\Users\Admin\AppData\Local\Temp\pic.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\pic.exe" "pic.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pic.exeFilesize
275KB
MD5a04ef23cda6a621fd38ecfd1c2de2384
SHA1a20a78c1c10513aef456d34703731314210d241e
SHA2567d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727
SHA512c9ca0c9d857287e2f22248b2a53e0c444cc8b886b10722d065ed6557c381849dc9c967f44f56223f37fd8cce350193358c5b4e2b5260f37a8a8cc385ebb1c0a8
-
C:\Users\Admin\AppData\Local\Temp\pic.exeFilesize
275KB
MD5a04ef23cda6a621fd38ecfd1c2de2384
SHA1a20a78c1c10513aef456d34703731314210d241e
SHA2567d7cb534764144b9f9d71d1b8a908e74c1049e77bdf65251c7b646bf3b391727
SHA512c9ca0c9d857287e2f22248b2a53e0c444cc8b886b10722d065ed6557c381849dc9c967f44f56223f37fd8cce350193358c5b4e2b5260f37a8a8cc385ebb1c0a8
-
memory/1432-133-0x0000000000000000-mapping.dmp
-
memory/1432-138-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/1432-139-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4556-137-0x0000000000000000-mapping.dmp
-
memory/4916-132-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4916-136-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB