a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe
Size

2.6MB
MD5

adf55b9fd2c3d3031d533107fab810f4
SHA1

3e6e1c3cf2710a10b0de2df5225c504d71f8315b
SHA256

a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153
SHA512

eebc99301a6774e60ca4ace08c054aa836a4182791e2a648f4fc2d12b4ffbb676e9839577b7cd532f698d90abf86548f6fa532a76a283b0d25d30a8eddd46ab0
SSDEEP

49152:zoAIGWPrl3GRe6fpZhITfGde04Lth32iV6L3yA2jNLiHCfAiWsH:kJGWPrl3GReWp/Iide0Iv323eA2EUCsH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	SLNYW.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	SLNYW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4052	1980	WerFault.exe	91

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1604	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe
4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe
2352	powershell.exe
4828	powershell.exe
4828	powershell.exe
2352	powershell.exe
1980	SLNYW.exe
1980	SLNYW.exe
3808	powershell.exe
636	powershell.exe
3808	powershell.exe
636	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1980	SLNYW.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2352	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	84
PID 4712 wrote to memory of 2352	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	84
PID 4712 wrote to memory of 4828	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	89
PID 4712 wrote to memory of 4828	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	89
PID 4712 wrote to memory of 5100	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	88
PID 4712 wrote to memory of 5100	4712	a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe	88
PID 5100 wrote to memory of 1664	5100	cmd.exe	90
PID 5100 wrote to memory of 1664	5100	cmd.exe	90
PID 5100 wrote to memory of 1980	5100	cmd.exe	91
PID 5100 wrote to memory of 1980	5100	cmd.exe	91
PID 1980 wrote to memory of 636	1980	SLNYW.exe	92
PID 1980 wrote to memory of 636	1980	SLNYW.exe	92
PID 1980 wrote to memory of 3808	1980	SLNYW.exe	95
PID 1980 wrote to memory of 3808	1980	SLNYW.exe	95
PID 1980 wrote to memory of 4388	1980	SLNYW.exe	96
PID 1980 wrote to memory of 4388	1980	SLNYW.exe	96
PID 4388 wrote to memory of 1604	4388	cmd.exe	98
PID 4388 wrote to memory of 1604	4388	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe
"C:\Users\Admin\AppData\Local\Temp\a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp744A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1664
- - C:\ProgramData\template\SLNYW.exe
    "C:\ProgramData\template\SLNYW.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "SLNYW" /tr "C:\ProgramData\template\SLNYW.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "SLNYW" /tr "C:\ProgramData\template\SLNYW.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1604
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1980 -s 2108
      4⤵
      Program crash
      PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1980 -ip 1980
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\template\SLNYW.exe

Filesize
2.6MB

MD5
adf55b9fd2c3d3031d533107fab810f4

SHA1
3e6e1c3cf2710a10b0de2df5225c504d71f8315b

SHA256
a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153

SHA512
eebc99301a6774e60ca4ace08c054aa836a4182791e2a648f4fc2d12b4ffbb676e9839577b7cd532f698d90abf86548f6fa532a76a283b0d25d30a8eddd46ab0

Download Submit
C:\ProgramData\template\SLNYW.exe

Filesize
2.6MB

MD5
adf55b9fd2c3d3031d533107fab810f4

SHA1
3e6e1c3cf2710a10b0de2df5225c504d71f8315b

SHA256
a302b6b56e25498c671ea5b7de9375b694706e868cc14706de68152b89438153

SHA512
eebc99301a6774e60ca4ace08c054aa836a4182791e2a648f4fc2d12b4ffbb676e9839577b7cd532f698d90abf86548f6fa532a76a283b0d25d30a8eddd46ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp744A.tmp.bat

Filesize
142B

MD5
92502352502f3bd9ebaa168126b90a0f

SHA1
1a0600e0e54c64fca9bf5d6411f36f042f244ea7

SHA256
38fd9055d469497e4bfe88c246d5bc57396020e45f0125bea7105beb1d8f60ff

SHA512
73641f0562694151b5d34d8c14a6c065f384cd825d2aaf4c8068e645aeef07c44c4dfec951991aaeaa1e75c867eeb2a9b54d9ec53bd9311f87381e9b470eb206

Download Submit
memory/636-182-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/636-175-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/1980-162-0x00007FFECD7F0000-0x00007FFECD88E000-memory.dmp

Filesize
632KB

Download
memory/1980-169-0x0000000000750000-0x0000000000B4C000-memory.dmp

Filesize
4.0MB

Download
memory/1980-191-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/1980-190-0x0000000000750000-0x0000000000B4C000-memory.dmp

Filesize
4.0MB

Download
memory/1980-189-0x00007FFEABBD0000-0x00007FFEABD3A000-memory.dmp

Filesize
1.4MB

Download
memory/1980-187-0x00007FFECC0C0000-0x00007FFECC0FB000-memory.dmp

Filesize
236KB

Download
memory/1980-186-0x00007FFECEFE0000-0x00007FFECF04B000-memory.dmp

Filesize
428KB

Download
memory/1980-185-0x00007FFEACEE0000-0x00007FFEACFE2000-memory.dmp

Filesize
1.0MB

Download
memory/1980-184-0x00007FFEB1E70000-0x00007FFEB1EA5000-memory.dmp

Filesize
212KB

Download
memory/1980-183-0x00007FFECD140000-0x00007FFECD167000-memory.dmp

Filesize
156KB

Download
memory/1980-172-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/1980-170-0x00000000033E0000-0x0000000003421000-memory.dmp

Filesize
260KB

Download
memory/1980-171-0x00007FFEAEF20000-0x00007FFEAF06E000-memory.dmp

Filesize
1.3MB

Download
memory/1980-168-0x0000000000750000-0x0000000000B4C000-memory.dmp

Filesize
4.0MB

Download
memory/1980-161-0x00007FFEB12B0000-0x00007FFEB135A000-memory.dmp

Filesize
680KB

Download
memory/1980-167-0x00007FFECEF10000-0x00007FFECEF3B000-memory.dmp

Filesize
172KB

Download
memory/1980-163-0x00007FFECAC10000-0x00007FFECAC22000-memory.dmp

Filesize
72KB

Download
memory/1980-164-0x00007FFEB0670000-0x00007FFEB072D000-memory.dmp

Filesize
756KB

Download
memory/1980-165-0x00007FFECE330000-0x00007FFECE4D1000-memory.dmp

Filesize
1.6MB

Download
memory/1980-166-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-188-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download
memory/2352-155-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download
memory/3808-181-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/3808-176-0x00007FFEB07E0000-0x00007FFEB12A1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-136-0x00007FFEB1E60000-0x00007FFEB1F1D000-memory.dmp

Filesize
756KB

Download
memory/4712-142-0x0000000003490000-0x00000000034D1000-memory.dmp

Filesize
260KB

Download
memory/4712-137-0x00007FFECE330000-0x00007FFECE4D1000-memory.dmp

Filesize
1.6MB

Download
memory/4712-139-0x00007FFECEF10000-0x00007FFECEF3B000-memory.dmp

Filesize
172KB

Download
memory/4712-140-0x0000000000C20000-0x000000000101C000-memory.dmp

Filesize
4.0MB

Download
memory/4712-133-0x00007FFEB1240000-0x00007FFEB12EA000-memory.dmp

Filesize
680KB

Download
memory/4712-135-0x00007FFECAC10000-0x00007FFECAC22000-memory.dmp

Filesize
72KB

Download
memory/4712-148-0x0000000000C20000-0x000000000101C000-memory.dmp

Filesize
4.0MB

Download
memory/4712-134-0x00007FFECD7F0000-0x00007FFECD88E000-memory.dmp

Filesize
632KB

Download
memory/4712-138-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download
memory/4712-143-0x00007FFEAEFE0000-0x00007FFEAF12E000-memory.dmp

Filesize
1.3MB

Download
memory/4712-144-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download
memory/4712-149-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download
memory/4712-141-0x0000000000C20000-0x000000000101C000-memory.dmp

Filesize
4.0MB

Download
memory/4828-150-0x0000017E34340000-0x0000017E34362000-memory.dmp

Filesize
136KB

Download
memory/4828-156-0x00007FFEB0770000-0x00007FFEB1231000-memory.dmp

Filesize
10.8MB

Download