Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 01:57
Behavioral task
behavioral1
Sample
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe
Resource
win10v2004-20220812-en
General
-
Target
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe
-
Size
196KB
-
MD5
2798ffe8ecee2781804dc2db89e6d965
-
SHA1
97f415892e99d53f19d013893cd18e96c0d3698d
-
SHA256
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8
-
SHA512
d349f8370a6018187d1a272597465529a7938df28c7971d4142e9447c3266d1f8ca6bb7d39996deb6869b1a4e375c26ebbc4770744f4f63669c9ff44e2c8ce98
-
SSDEEP
3072:6DeIb32lxEo16cc9fjw8hD5z0llx2VtJxBVhLJ:ab3kEo1BWj/hx078V9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server1.exepid process 4320 server1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3516 dw20.exe Token: SeBackupPrivilege 3516 dw20.exe Token: SeBackupPrivilege 3516 dw20.exe Token: SeBackupPrivilege 3516 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exeserver1.exedescription pid process target process PID 3008 wrote to memory of 4320 3008 951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe server1.exe PID 3008 wrote to memory of 4320 3008 951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe server1.exe PID 3008 wrote to memory of 4320 3008 951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe server1.exe PID 4320 wrote to memory of 3516 4320 server1.exe dw20.exe PID 4320 wrote to memory of 3516 4320 server1.exe dw20.exe PID 4320 wrote to memory of 3516 4320 server1.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe"C:\Users\Admin\AppData\Local\Temp\951c352653556f4a856e327db94c359cc82b452ab36660a0e27c7f9428f8a4c8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\server1.exe"C:\Users\Admin\AppData\Local\Temp\server1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8243⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server1.exeFilesize
184KB
MD54fdc515c5f0a3106099e39e4edc3c370
SHA1e1687d6d272e037bfd510a678fbcf347c5bd62fa
SHA2568dc21b1e601ed3e915a5c9388e5ec0a5163b1ca37a4c826571be98229c230bf8
SHA512c66926e060ed86048a5d794c42be237fcba035654fbb7c8184b8ee0aad5639e5c3278a62d827848b28646f052d4c25eec28d49ba599f3a3729f7d65e70eb86cd
-
C:\Users\Admin\AppData\Local\Temp\server1.exeFilesize
184KB
MD54fdc515c5f0a3106099e39e4edc3c370
SHA1e1687d6d272e037bfd510a678fbcf347c5bd62fa
SHA2568dc21b1e601ed3e915a5c9388e5ec0a5163b1ca37a4c826571be98229c230bf8
SHA512c66926e060ed86048a5d794c42be237fcba035654fbb7c8184b8ee0aad5639e5c3278a62d827848b28646f052d4c25eec28d49ba599f3a3729f7d65e70eb86cd
-
memory/3516-136-0x0000000000000000-mapping.dmp
-
memory/4320-132-0x0000000000000000-mapping.dmp
-
memory/4320-135-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4320-137-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB
-
memory/4320-138-0x0000000075310000-0x00000000758C1000-memory.dmpFilesize
5.7MB