Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 01:57
Behavioral task
behavioral1
Sample
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe
Resource
win10v2004-20220812-en
General
-
Target
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe
-
Size
405KB
-
MD5
7af03069fd2115cacf8f083f630d1518
-
SHA1
0bc4fc8a383cabfd6c02c135cf09771a7abcbf97
-
SHA256
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8
-
SHA512
4d6968c35bef582715e22f3ac32fbe8b01e29443e4343701ff92c282890a800f16e64233ab422c106765a12928b92060a8e2c2ada48c85eedc9638c30d814c2b
-
SSDEEP
12288:7u5Snj11m1HOPDq2Owbfjkx0ZkYLt9VkrefM:7eS51m1HOrZbfjpkYLt9erefM
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
1.exeMohamed Imad.exeWindows.exepid process 4388 1.exe 4924 Mohamed Imad.exe 2880 Windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1.exe -
Drops startup file 2 IoCs
Processes:
Windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe Windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0637647888fbb2fb9f487f98c143f3b5.exe Windows.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Windows.exe1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0637647888fbb2fb9f487f98c143f3b5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\1.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\1.exe" Windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Windows.exedescription pid process Token: SeDebugPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe Token: 33 2880 Windows.exe Token: SeIncBasePriorityPrivilege 2880 Windows.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe1.exeWindows.exedescription pid process target process PID 3836 wrote to memory of 4388 3836 7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe 1.exe PID 3836 wrote to memory of 4388 3836 7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe 1.exe PID 3836 wrote to memory of 4924 3836 7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe Mohamed Imad.exe PID 3836 wrote to memory of 4924 3836 7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe Mohamed Imad.exe PID 4388 wrote to memory of 2880 4388 1.exe Windows.exe PID 4388 wrote to memory of 2880 4388 1.exe Windows.exe PID 2880 wrote to memory of 960 2880 Windows.exe netsh.exe PID 2880 wrote to memory of 960 2880 Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe"C:\Users\Admin\AppData\Local\Temp\7156d13a234822f1eaa71c6569259e167935e0222aa03445dafe1901a10a57d8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:960 -
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exe"2⤵
- Executes dropped EXE
PID:4924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
40KB
MD592a5e48d2bd8f1564564ae8173871501
SHA1945faac7ca511007d9932a551782fc479dc15e0b
SHA2568287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1
SHA512bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
40KB
MD592a5e48d2bd8f1564564ae8173871501
SHA1945faac7ca511007d9932a551782fc479dc15e0b
SHA2568287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1
SHA512bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895
-
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exeFilesize
321KB
MD5eb078d6d5bc16b89e4468019c55543f8
SHA10f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9
SHA25647a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8
SHA51256107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06
-
C:\Users\Admin\AppData\Local\Temp\Mohamed Imad.exeFilesize
321KB
MD5eb078d6d5bc16b89e4468019c55543f8
SHA10f0ef59a9e026075cc3c0ee2520e2a2ab3fd25a9
SHA25647a52ad0963db103f1cf2b8967bc13c85646cd199569ecc9019a714e26d90af8
SHA51256107bd229b585d56fff839598ebc503ed3cef9ca705b6e931a7331b363dd8a66d57f81bf1bb66e5ac496d4213f38ae7d2239ef2686161d07a97a18d7d25fd06
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
40KB
MD592a5e48d2bd8f1564564ae8173871501
SHA1945faac7ca511007d9932a551782fc479dc15e0b
SHA2568287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1
SHA512bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
40KB
MD592a5e48d2bd8f1564564ae8173871501
SHA1945faac7ca511007d9932a551782fc479dc15e0b
SHA2568287b79e2dca526538a6671aa0ce91b359afe92d78afc225ebb4436c9eb3fde1
SHA512bdd5a75db9308b8684fee3ef1444cb6f1c48abcb8d368c5c57c2b9380abada9bede573e05b6ea7aeb9cac5a02b420dee052b87eac7293152024e53b965231895
-
memory/960-144-0x0000000000000000-mapping.dmp
-
memory/2880-143-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmpFilesize
10.2MB
-
memory/2880-140-0x0000000000000000-mapping.dmp
-
memory/4388-132-0x0000000000000000-mapping.dmp
-
memory/4388-138-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmpFilesize
10.2MB
-
memory/4924-135-0x0000000000000000-mapping.dmp
-
memory/4924-139-0x00007FFBBB4D0000-0x00007FFBBBF06000-memory.dmpFilesize
10.2MB