Analysis
-
max time kernel
152s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 01:57
Behavioral task
behavioral1
Sample
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
Resource
win10v2004-20220812-en
General
-
Target
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe
-
Size
437KB
-
MD5
6494493746d95598cb1e64b1ed53669c
-
SHA1
12ed5c845c0b5818c5e7a6c5ff14d007ab50d546
-
SHA256
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f
-
SHA512
3999294178e5b66961a372d43e0e3d978c79b0375fefe1eca22cfd92dec6c4f8382ad558472147702b5fd1e28decf8e2f328df6c4b2c7c5196c35922b9aec313
-
SSDEEP
12288:1u5+hCo1m1HOPDq2Owbfjkx0ZkYLt9VkrefM:1e+11m1HOrZbfjpkYLt9erefM
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
jkl.exeMohamed Imad.exeWindows.exepid process 4676 jkl.exe 4836 Mohamed Imad.exe 32 Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exejkl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation jkl.exe -
Drops startup file 2 IoCs
Processes:
Windows.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe Windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe Windows.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
jkl.exeWindows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\jkl.exe" jkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\jkl.exe" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Windows.exedescription pid process Token: SeDebugPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe Token: 33 32 Windows.exe Token: SeIncBasePriorityPrivilege 32 Windows.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exejkl.exeWindows.exedescription pid process target process PID 860 wrote to memory of 4676 860 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe jkl.exe PID 860 wrote to memory of 4676 860 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe jkl.exe PID 860 wrote to memory of 4836 860 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe Mohamed Imad.exe PID 860 wrote to memory of 4836 860 8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe Mohamed Imad.exe PID 4676 wrote to memory of 32 4676 jkl.exe Windows.exe PID 4676 wrote to memory of 32 4676 jkl.exe Windows.exe PID 32 wrote to memory of 3700 32 Windows.exe netsh.exe PID 32 wrote to memory of 3700 32 Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe"C:\Users\Admin\AppData\Local\Temp\8473acde4d3267b07e41f8eacdda17761b2a0d828d3a7cbaeab2bcab304d250f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\jkl.exe"C:\Users\Admin\AppData\Local\Temp\jkl.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"2⤵
- Executes dropped EXE
PID:4836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exeFilesize
321KB
MD5eb078d6d5bc16b89e4468019c55543f8
SHA10f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9
SHA25647a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8
SHA51256107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06
-
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exeFilesize
321KB
MD5eb078d6d5bc16b89e4468019c55543f8
SHA10f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9
SHA25647a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8
SHA51256107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
72KB
MD5c7f7f2f2569396ec7573f6c9af116f00
SHA14544ce4257f4f2e3d42b54bd2528cd95c1e2a330
SHA25637836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e
SHA512481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
72KB
MD5c7f7f2f2569396ec7573f6c9af116f00
SHA14544ce4257f4f2e3d42b54bd2528cd95c1e2a330
SHA25637836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e
SHA512481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394
-
C:\Users\Admin\AppData\Local\Temp\jkl.exeFilesize
72KB
MD5c7f7f2f2569396ec7573f6c9af116f00
SHA14544ce4257f4f2e3d42b54bd2528cd95c1e2a330
SHA25637836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e
SHA512481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394
-
C:\Users\Admin\AppData\Local\Temp\jkl.exeFilesize
72KB
MD5c7f7f2f2569396ec7573f6c9af116f00
SHA14544ce4257f4f2e3d42b54bd2528cd95c1e2a330
SHA25637836270f4dbe9f2a3788ab5697c9bdfc560495fbec4025666d6004817780f4e
SHA512481ad1a77c65fd9236339e879fcf79f2ac25cfae80f027880a40edd5dbab4344f7f939f59335118a792b00e14eb2a53888b03cd36d20a4ffb7af39d56631b394
-
memory/32-143-0x00007FF893A10000-0x00007FF894446000-memory.dmpFilesize
10.2MB
-
memory/32-140-0x0000000000000000-mapping.dmp
-
memory/3700-144-0x0000000000000000-mapping.dmp
-
memory/4676-132-0x0000000000000000-mapping.dmp
-
memory/4676-139-0x00007FF893A10000-0x00007FF894446000-memory.dmpFilesize
10.2MB
-
memory/4836-135-0x0000000000000000-mapping.dmp
-
memory/4836-138-0x00007FF893A10000-0x00007FF894446000-memory.dmpFilesize
10.2MB