Analysis
-
max time kernel
152s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:09
Static task
static1
Behavioral task
behavioral1
Sample
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe
Resource
win10v2004-20220812-en
General
-
Target
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe
-
Size
68KB
-
MD5
e87de6e490804abe7a4eb01ff0898edc
-
SHA1
4d932b5e7898610b1053b235075b70e11749091e
-
SHA256
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972
-
SHA512
688709af6a83676908e0972198835ade516911d0968c6a620bd85980e87692bd67a31ff443f273083fd6cbad470cdc9b60bef05afa1a4b2e189ec5fdf51d1be2
-
SSDEEP
768:QcEliTd+ERAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:fEIxlAcqOK3qowgnt1d
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
Admin.exe9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe -
Executes dropped EXE 1 IoCs
Processes:
Admin.exepid process 3088 Admin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Admin.exe9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exeAdmin.exepid process 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe 3088 Admin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exeAdmin.exepid process 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe 3088 Admin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exedescription pid process target process PID 1688 wrote to memory of 3088 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe Admin.exe PID 1688 wrote to memory of 3088 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe Admin.exe PID 1688 wrote to memory of 3088 1688 9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe Admin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe"C:\Users\Admin\AppData\Local\Temp\9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Admin.exeFilesize
68KB
MD51a5eb3e4a0e0f9ed6e872cba7c97cf0d
SHA1ca97d9260656db66d39235c79f8a17c8cd7c0801
SHA2560f57974c3bab04535b1f7e2e02e12faaf029c929c94e40a09280be14964764f5
SHA51271c9a7973062e1ca23eaa4914f10d2d69be1d9b0a29bccc4895ef78619ce7aa711958b951a122e0f5f667a2849f9112c0d85a9e8d512706cd70c5e7b902223f7
-
C:\Users\Admin\Admin.exeFilesize
68KB
MD51a5eb3e4a0e0f9ed6e872cba7c97cf0d
SHA1ca97d9260656db66d39235c79f8a17c8cd7c0801
SHA2560f57974c3bab04535b1f7e2e02e12faaf029c929c94e40a09280be14964764f5
SHA51271c9a7973062e1ca23eaa4914f10d2d69be1d9b0a29bccc4895ef78619ce7aa711958b951a122e0f5f667a2849f9112c0d85a9e8d512706cd70c5e7b902223f7
-
memory/1688-132-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/3088-135-0x0000000000000000-mapping.dmp
-
memory/3088-138-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB