Analysis
-
max time kernel
123s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:30
Behavioral task
behavioral1
Sample
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
Resource
win10v2004-20221111-en
General
-
Target
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
-
Size
525KB
-
MD5
1eb2572c36afe1832732413fcec49bbe
-
SHA1
cd9b8f19cc582920b6163bb2a58ed13a37e73b56
-
SHA256
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3
-
SHA512
72e4aa9a33982677662126f466093e190d4c6fd93793f406427669f245a532a8ae756ddc0a9f9931481a820dd206439fb3d6da8193d483eb5412b6c96de66de5
-
SSDEEP
6144:C9J623cdUmR7W6XKDla2nf9PzuDorEDGgrpO2gd2k4xsMiGAv5NIseImC:CJZMPQlakoBrEmBxed5NIse
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ere.exepid process 5044 ere.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3972 dw20.exe Token: SeBackupPrivilege 3972 dw20.exe Token: SeBackupPrivilege 3972 dw20.exe Token: SeBackupPrivilege 3972 dw20.exe Token: SeBackupPrivilege 3972 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exeere.exedescription pid process target process PID 4612 wrote to memory of 5044 4612 6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe ere.exe PID 4612 wrote to memory of 5044 4612 6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe ere.exe PID 4612 wrote to memory of 5044 4612 6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe ere.exe PID 5044 wrote to memory of 3972 5044 ere.exe dw20.exe PID 5044 wrote to memory of 3972 5044 ere.exe dw20.exe PID 5044 wrote to memory of 3972 5044 ere.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe"C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ere.exe"C:\Users\Admin\AppData\Local\Temp\ere.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8203⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ere.exeFilesize
485KB
MD5a82944e62f537c142db0466278b41d60
SHA1e9fc831042633e0865b8c3ee88ec0e114abe94f9
SHA2567ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4
SHA512d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf
-
C:\Users\Admin\AppData\Local\Temp\ere.exeFilesize
485KB
MD5a82944e62f537c142db0466278b41d60
SHA1e9fc831042633e0865b8c3ee88ec0e114abe94f9
SHA2567ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4
SHA512d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf
-
memory/3972-136-0x0000000000000000-mapping.dmp
-
memory/5044-132-0x0000000000000000-mapping.dmp
-
memory/5044-135-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/5044-137-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB
-
memory/5044-138-0x0000000074BE0000-0x0000000075191000-memory.dmpFilesize
5.7MB