Analysis
-
max time kernel
175s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 16:09
Static task
static1
Behavioral task
behavioral1
Sample
493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe
Resource
win10v2004-20221111-en
General
-
Target
493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe
-
Size
72KB
-
MD5
618597a8ea22d3c9b532c095556c6f59
-
SHA1
0aea6eafe3205fa86808872d98095a87493a1371
-
SHA256
493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202
-
SHA512
1ead288208c60a6ed2332cfec1b3ad616509e4efdb4e6e9966161c7f653e163fc287e4b23c50c3efc55f20effbb3238c9b797244e7f0a283f314f4290b10dda3
-
SSDEEP
1536:vprQDLIxIlNqR5AQqP5q3jAIs1oV8ERW7XS9qf+6N20:hrtxIlNq3Anhq3xs1oCERWTV+6Nd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 824 winlogon.exe 3456 winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogon.exe" winlogon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5076 set thread context of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 824 set thread context of 3456 824 winlogon.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe Token: SeDebugPrivilege 824 winlogon.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 5076 wrote to memory of 4336 5076 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 83 PID 4336 wrote to memory of 824 4336 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 86 PID 4336 wrote to memory of 824 4336 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 86 PID 4336 wrote to memory of 824 4336 493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe 86 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89 PID 824 wrote to memory of 3456 824 winlogon.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe"C:\Users\Admin\AppData\Local\Temp\493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe"C:\Users\Admin\AppData\Local\Temp\493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3456
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5618597a8ea22d3c9b532c095556c6f59
SHA10aea6eafe3205fa86808872d98095a87493a1371
SHA256493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202
SHA5121ead288208c60a6ed2332cfec1b3ad616509e4efdb4e6e9966161c7f653e163fc287e4b23c50c3efc55f20effbb3238c9b797244e7f0a283f314f4290b10dda3
-
Filesize
72KB
MD5618597a8ea22d3c9b532c095556c6f59
SHA10aea6eafe3205fa86808872d98095a87493a1371
SHA256493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202
SHA5121ead288208c60a6ed2332cfec1b3ad616509e4efdb4e6e9966161c7f653e163fc287e4b23c50c3efc55f20effbb3238c9b797244e7f0a283f314f4290b10dda3
-
Filesize
72KB
MD5618597a8ea22d3c9b532c095556c6f59
SHA10aea6eafe3205fa86808872d98095a87493a1371
SHA256493e3110e181ce76a00f5d56cac9cc4e6b0033f87e336e9d51d573a1e35e0202
SHA5121ead288208c60a6ed2332cfec1b3ad616509e4efdb4e6e9966161c7f653e163fc287e4b23c50c3efc55f20effbb3238c9b797244e7f0a283f314f4290b10dda3