Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
Resource
win10v2004-20220812-en
General
-
Target
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
-
Size
880KB
-
MD5
168a2c2ce1f613b4d70619fa695e6b78
-
SHA1
f10cb10f36c98dac6f41b5012acd976f281e7d90
-
SHA256
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
-
SHA512
bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98
-
SSDEEP
12288:sZhUf7LXHxRqPRR1cI/lMb5QWS/DWQt28QQwyp0dewzuJ/zg/EukKAFGnyTz4+Du:skLXHjqPV+Fqt28wvTaYERKAFSMiP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\amptask.exe" 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Executes dropped EXE 1 IoCs
pid Process 4652 Pop4.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amptask.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amptask.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pop4.exe Pop4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pop4.exe Pop4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pop = "C:\\Users\\Admin\\AppData\\Roaming\\Pop_Ads\\My\\1.0.0.0\\Pop4.exe" Pop4.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe File opened for modification C:\Windows\assembly\Desktop.ini 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe File opened for modification C:\Windows\assembly 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe File created C:\Windows\assembly\Desktop.ini 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4264 wrote to memory of 4652 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 82 PID 4264 wrote to memory of 4652 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 82 PID 4264 wrote to memory of 4652 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 82 PID 4264 wrote to memory of 4768 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 83 PID 4264 wrote to memory of 4768 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 83 PID 4264 wrote to memory of 4768 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 83 PID 4768 wrote to memory of 2356 4768 cmd.exe 86 PID 4768 wrote to memory of 2356 4768 cmd.exe 86 PID 4768 wrote to memory of 2356 4768 cmd.exe 86 PID 4264 wrote to memory of 1416 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 85 PID 4264 wrote to memory of 1416 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 85 PID 4264 wrote to memory of 1416 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 85 PID 2356 wrote to memory of 228 2356 wscript.exe 88 PID 2356 wrote to memory of 228 2356 wscript.exe 88 PID 2356 wrote to memory of 228 2356 wscript.exe 88 PID 4264 wrote to memory of 748 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 96 PID 4264 wrote to memory of 748 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 96 PID 4264 wrote to memory of 748 4264 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 96 PID 748 wrote to memory of 3588 748 cmd.exe 98 PID 748 wrote to memory of 3588 748 cmd.exe 98 PID 748 wrote to memory of 3588 748 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe"C:\Users\Admin\AppData\Local\Temp\96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\Pop4.exe"C:\Users\Admin\AppData\Local\Temp\Pop4.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:4652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Windows\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\Windows\invs.vbs" "C:\Users\Admin\AppData\Roaming\Windows\mata2.bat3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\mata2.bat" "4⤵
- Drops startup file
PID:228
-
-
-
-
C:\Users\Admin\AppData\Roaming\notepad .exe"C:\Users\Admin\AppData\Roaming\notepad .exe"2⤵PID:1416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\notepad.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5f897f903e4942678ec765a31eda224fb
SHA1dbd82191f21b95abb8db284950059950d4bb780d
SHA2568833df32992ef03eb51c3aec5354be775f15ebdfba9016f1156222b3a7145091
SHA51267a24c55fac905f185658caef3ee2007860546454c624942d85f739612e56ebeb0edd53b91e872693c5adee86b0fa2c35352cf5d57545a7c109791aa60a4c873
-
Filesize
31KB
MD5f897f903e4942678ec765a31eda224fb
SHA1dbd82191f21b95abb8db284950059950d4bb780d
SHA2568833df32992ef03eb51c3aec5354be775f15ebdfba9016f1156222b3a7145091
SHA51267a24c55fac905f185658caef3ee2007860546454c624942d85f739612e56ebeb0edd53b91e872693c5adee86b0fa2c35352cf5d57545a7c109791aa60a4c873
-
Filesize
880KB
MD5168a2c2ce1f613b4d70619fa695e6b78
SHA1f10cb10f36c98dac6f41b5012acd976f281e7d90
SHA25696b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
SHA512bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
69B
MD590f43387dc853e2f6012421794bce803
SHA1175c394ede22184a3de907018504ca78ad9f8fe9
SHA256ea9a9a1f2b36eb85a12ac384ceea8eb50aae661164741abaff273d4064b7fadc
SHA512c1e3a52ef4ec660512bd14ad4afca0597b22992379ffc512e6184bcdc8e8396bc7d684cb68e88769afc471635fb14ada8b7f83de763c238a0ff837290dcd5b0d
-
Filesize
182B
MD50b187db0d3d9e528e2a2b1a5cdf5ea00
SHA1013a7a5a84318d53d2ff73228eb44c512384a007
SHA25623d53516761e4b167166d781ad41ecd717a76016c8694f2af27dd4b60fc12b21
SHA5124408effa053b30a56cbd4c27f56fb49c2124192297f216ab72fc6f0a2e8eeea8b00e8312710abac485f4f6adc6e138be224a35fc3d6f6444e2c5c13c5645f8e9
-
Filesize
208B
MD5c2e905cdf49e21a46637203e212217e8
SHA1a697d162bb1208e6a67214d05cea697ebbbf2732
SHA25665fa669a0a06900043e32ebca9721abd3dbb60b21c96fbf78d37712b6cc6bc1e
SHA51220eee69e49286f50eb84c244fc5fdcf8952e5750d467e631d85d516a17b15cfe6626860f78368c142381dad6e6678f60d069efbfc3f8dae01e1a7a9903870f41
-
Filesize
880KB
MD5168a2c2ce1f613b4d70619fa695e6b78
SHA1f10cb10f36c98dac6f41b5012acd976f281e7d90
SHA25696b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
SHA512bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98