Analysis
-
max time kernel
144s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 08:59
General
-
Target
686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe
-
Size
410KB
-
MD5
a6c776f57b289b97ddf353c32776a4ae
-
SHA1
6da71ee426632b691e785b22ce9762db728f68ad
-
SHA256
686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716
-
SHA512
6afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802
-
SSDEEP
12288:eIGmqFaVrXRP5Qo1CaeFWO+N+P52WZUHcyEaK54W7i4ZP/XjI:eStVFPutfo5X
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 3 IoCs
-
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 42 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe"C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716.exe\..2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\sefera\Jnt\null\..\.. /r administrators /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /r Admin /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\sefera\Jnt\null\..\.. /r Admin /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r Admin /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r Admin /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\syhipip\..\.. +r +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib C:\sefera\Jnt\syhipip\..\.. +r +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\syhipip\..\..\desktop.ini +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib C:\sefera\Jnt\syhipip\..\..\desktop.ini +s +h3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\syhipip +r +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib C:\sefera\Jnt\syhipip +r +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\sefera\Jnt\syhipip\desktop.ini +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib C:\sefera\Jnt\syhipip\desktop.ini +s +h3⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\System_VoIume_lnformation\Jnt\rueat\..\.. +r +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib C:\System_VoIume_lnformation\Jnt\rueat\..\.. +r +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\syhipip\..\.. /d administrators /e2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls C:\sefera\Jnt\syhipip\..\.. /d administrators /e3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\syhipip\..\.. /d everyone /e2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.execacls C:\sefera\Jnt\syhipip\..\.. /d everyone /e3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\syhipip\..\.. /d Admin /e2⤵
-
C:\Windows\system32\cacls.execacls C:\sefera\Jnt\syhipip\..\.. /d Admin /e3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d administrators /e2⤵
-
C:\Windows\system32\cacls.execacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d administrators /e3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d everyone /e2⤵
-
C:\Windows\system32\cacls.execacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d everyone /e3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d Admin /e2⤵
-
C:\Windows\system32\cacls.execacls C:\System_VoIume_lnformation\Jnt\rueat\..\.. /d Admin /e3⤵
-
C:\sefera\Jnt\syhipip\svcnosts.exe"C:\sefera\Jnt\syhipip\svcnosts.exe" fdrg2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\sefera\Jnt\syhipip\svcnost.exe"C:\sefera\Jnt\syhipip\svcnost.exe" nm3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c net localgroup administrators4⤵
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
C:\Users\Admin\scf\scf.exe"C:\Users\Admin\scf\scf.exe" znmda4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Files .exeFilesize
410KB
MD5a6c776f57b289b97ddf353c32776a4ae
SHA16da71ee426632b691e785b22ce9762db728f68ad
SHA256686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716
SHA5126afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802
-
C:\Show Hidden Files.batFilesize
458KB
MD5eb0e0c123d2ea9af6487b8d695eb402f
SHA16730f38a2cc3af5580532de53ea1d08e89e88e48
SHA256a5c4046be14907415076e391baffcfbaff7464c234359cee3ca0a0c0b1c8f25a
SHA512c60df41d30a40d7b71d997e4a1e85f49b9a5b31164947d26f35e83058edb07035d9582c259f905ec3749209656d616ac25ec438e91b7ccb4cb4695f58e7f5370
-
C:\Users\Admin\scf\scf.exeFilesize
410KB
MD5a6c776f57b289b97ddf353c32776a4ae
SHA16da71ee426632b691e785b22ce9762db728f68ad
SHA256686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716
SHA5126afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802
-
C:\Users\Admin\scf\scf.exeFilesize
410KB
MD5a6c776f57b289b97ddf353c32776a4ae
SHA16da71ee426632b691e785b22ce9762db728f68ad
SHA256686467f75a5c0a056aba4614aa42e404fe9535d3de98806ad8c059c582f55716
SHA5126afaf962e2a01c827e711bda9cc9c68e02c0c81a9da6208b4e35b482e210719994fbe3d804ef453bf824338b7b9bb3131b7e8606cfd86fd89bf597a004a61802
-
C:\sefera\Jnt\syhipip\desktop.iniFilesize
127B
MD5adc4b5d4444d26293dc782b6238ca6f0
SHA1056aca176cdc486f810aaf4f711d662c452e9760
SHA256abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3
SHA512a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616
-
C:\sefera\Jnt\syhipip\gotera.bmpFilesize
410KB
MD5f1a2d63899b87cef381f57bb4d195f7c
SHA191c1849a76df0dce80e14ef40458e6c9d677ee77
SHA256c0f305f40a1cccce836a9dc9f44368abc4173d4a697709d3ec8c71afdc30fcea
SHA51236a6374c903c436b8c423a0c654c27624ee38739b84e9851a42d62db46f48c4bccd8112a92e0194e36ba96c7548bc4bcb479aea6f0133a963e4221be90b51b84
-
C:\sefera\Jnt\syhipip\svcnost.exeFilesize
296KB
MD5e1c8e6fa5477fc3c6459b70ec2c362e0
SHA1585a71ee1d2f2354628ddd3367f3f3779c0f47fb
SHA25633aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360
SHA512a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551
-
C:\sefera\Jnt\syhipip\svcnost.exeFilesize
296KB
MD5e1c8e6fa5477fc3c6459b70ec2c362e0
SHA1585a71ee1d2f2354628ddd3367f3f3779c0f47fb
SHA25633aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360
SHA512a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551
-
C:\sefera\Jnt\syhipip\svcnosts.exeFilesize
296KB
MD5e1c8e6fa5477fc3c6459b70ec2c362e0
SHA1585a71ee1d2f2354628ddd3367f3f3779c0f47fb
SHA25633aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360
SHA512a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551
-
C:\sefera\Jnt\syhipip\svcnosts.exeFilesize
296KB
MD5e1c8e6fa5477fc3c6459b70ec2c362e0
SHA1585a71ee1d2f2354628ddd3367f3f3779c0f47fb
SHA25633aedb26dbcac8c27ad724a2583c93cdd5e2f1c8535444ab0dbaf0eccaabd360
SHA512a79fc7ff370db99098a1b424e225e1b09497fc451d0196da800a123665e98bbb612d76c728e33cedc69cb4c305c2b9b82556fee874441ff2cff3324ec883d551
-
C:\sefera\desktop.iniFilesize
127B
MD5adc4b5d4444d26293dc782b6238ca6f0
SHA1056aca176cdc486f810aaf4f711d662c452e9760
SHA256abe8a5933ff450a89b8e9a736f08874b43b7355d17ffe6540c4a6ead0f0995d3
SHA512a539127e8257905a9c0d8559b7d1f985413ed59235479fd08d42995c5faa1644a4b75e296c12ea002962e2c782c57cad098f45b0f7f1e9ce0f456627c50d3616
-
memory/688-174-0x0000000000000000-mapping.dmp
-
memory/744-145-0x0000000000000000-mapping.dmp
-
memory/1232-171-0x0000000000000000-mapping.dmp
-
memory/1480-152-0x0000000000000000-mapping.dmp
-
memory/1744-168-0x0000000000000000-mapping.dmp
-
memory/1768-146-0x0000000000000000-mapping.dmp
-
memory/1776-157-0x0000000000000000-mapping.dmp
-
memory/1888-149-0x0000000000000000-mapping.dmp
-
memory/1960-140-0x0000000000000000-mapping.dmp
-
memory/1968-136-0x0000000000000000-mapping.dmp
-
memory/2000-156-0x0000000000000000-mapping.dmp
-
memory/2212-169-0x0000000000000000-mapping.dmp
-
memory/2256-141-0x0000000000000000-mapping.dmp
-
memory/2596-180-0x0000000000000000-mapping.dmp
-
memory/2596-184-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/2596-191-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/3108-167-0x0000000000000000-mapping.dmp
-
memory/3308-163-0x0000000000000000-mapping.dmp
-
memory/3324-161-0x0000000000000000-mapping.dmp
-
memory/3364-166-0x0000000000000000-mapping.dmp
-
memory/3400-153-0x0000000000000000-mapping.dmp
-
memory/3592-143-0x0000000000000000-mapping.dmp
-
memory/3688-135-0x0000000000000000-mapping.dmp
-
memory/3700-148-0x0000000000000000-mapping.dmp
-
memory/3832-142-0x0000000000000000-mapping.dmp
-
memory/3916-154-0x0000000000000000-mapping.dmp
-
memory/4252-165-0x0000000000000000-mapping.dmp
-
memory/4284-151-0x0000000000000000-mapping.dmp
-
memory/4312-173-0x0000000000000000-mapping.dmp
-
memory/4352-144-0x0000000000000000-mapping.dmp
-
memory/4560-172-0x0000000000000000-mapping.dmp
-
memory/4584-197-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4584-196-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4584-193-0x0000000000000000-mapping.dmp
-
memory/4588-162-0x0000000000000000-mapping.dmp
-
memory/4628-159-0x0000000000000000-mapping.dmp
-
memory/4720-158-0x0000000000000000-mapping.dmp
-
memory/4744-183-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4744-190-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4744-178-0x0000016893B10000-0x0000016893B64000-memory.dmpFilesize
336KB
-
memory/4744-175-0x0000000000000000-mapping.dmp
-
memory/4764-187-0x0000000000000000-mapping.dmp
-
memory/4788-139-0x0000000000000000-mapping.dmp
-
memory/4820-138-0x0000000000000000-mapping.dmp
-
memory/4860-189-0x0000000000000000-mapping.dmp
-
memory/4900-188-0x0000000000000000-mapping.dmp
-
memory/4912-182-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4912-132-0x000001AD00580000-0x000001AD005EE000-memory.dmpFilesize
440KB
-
memory/4912-133-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmpFilesize
10.8MB
-
memory/4924-137-0x0000000000000000-mapping.dmp
-
memory/4940-170-0x0000000000000000-mapping.dmp
-
memory/4948-134-0x0000000000000000-mapping.dmp
-
memory/4952-150-0x0000000000000000-mapping.dmp
-
memory/5012-164-0x0000000000000000-mapping.dmp
-
memory/5116-147-0x0000000000000000-mapping.dmp
