Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:37
Static task
static1
Behavioral task
behavioral1
Sample
a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe
Resource
win7-20220901-en
General
-
Target
a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe
-
Size
270KB
-
MD5
2cb181105e8d2aff82b0e4ffa1b9c0a3
-
SHA1
e80ed3c708459baeeb65ba143e4a87b83869df55
-
SHA256
a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256
-
SHA512
a7973fd5c8403dfd4e3504e5ebf908aab1ba87dcb31c1e13de2c8fe8bed26c4989dbcad6105dce9c7215f1cc3d9309f934f7cfca8f2a05a0b85e91bea4d252b3
-
SSDEEP
3072:UBixpea+2WPGOqsm7GMwU51cuFzLe02owBqRK6gb8ekFCgGbCuCE0TYB9JPpJJUw:gib+Hmp1QhBqRKH4GOExB9tJUZs+PVPe
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2016 6QZxCPSXxz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" 6QZxCPSXxz.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6QZxCPSXxz.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe 6QZxCPSXxz.exe File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe 6QZxCPSXxz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2016 2736 a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe 83 PID 2736 wrote to memory of 2016 2736 a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe 83 PID 2736 wrote to memory of 2016 2736 a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe"C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:2016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD527ddcce8f1fce61204719d271f240aae
SHA17684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA2567c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA51237f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b
-
Filesize
117KB
MD527ddcce8f1fce61204719d271f240aae
SHA17684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA2567c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA51237f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b