Analysis
-
max time kernel
140s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
Resource
win7-20220901-en
General
-
Target
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
-
Size
862KB
-
MD5
8dedabbc588d3040aa709afbc58e8a52
-
SHA1
061c10df4f1dbe57e69ff2e99a0ebab4150e9449
-
SHA256
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f
-
SHA512
137bd1febee353872c89ddf2ffc39d9326ab3f604ca73a5b9a64de2705d50494b9ec27326cd7bee24c66bcdcff04bb431b1b72b50dc3a6357585303b3bce37f1
-
SSDEEP
24576:X260/omfb7AGpUIiyLHw+tbt1Ihjqplwqf3w1Mk:Wdp6ycYbtWol7q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 4852 explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iexplore.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe -
Drops startup file 1 IoCs
Processes:
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
explorer.exedescription pid process target process PID 4852 set thread context of 1492 4852 explorer.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier iexplore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier iexplore.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
iexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1492 iexplore.exe Token: SeSecurityPrivilege 1492 iexplore.exe Token: SeTakeOwnershipPrivilege 1492 iexplore.exe Token: SeLoadDriverPrivilege 1492 iexplore.exe Token: SeSystemProfilePrivilege 1492 iexplore.exe Token: SeSystemtimePrivilege 1492 iexplore.exe Token: SeProfSingleProcessPrivilege 1492 iexplore.exe Token: SeIncBasePriorityPrivilege 1492 iexplore.exe Token: SeCreatePagefilePrivilege 1492 iexplore.exe Token: SeBackupPrivilege 1492 iexplore.exe Token: SeRestorePrivilege 1492 iexplore.exe Token: SeShutdownPrivilege 1492 iexplore.exe Token: SeDebugPrivilege 1492 iexplore.exe Token: SeSystemEnvironmentPrivilege 1492 iexplore.exe Token: SeChangeNotifyPrivilege 1492 iexplore.exe Token: SeRemoteShutdownPrivilege 1492 iexplore.exe Token: SeUndockPrivilege 1492 iexplore.exe Token: SeManageVolumePrivilege 1492 iexplore.exe Token: SeImpersonatePrivilege 1492 iexplore.exe Token: SeCreateGlobalPrivilege 1492 iexplore.exe Token: 33 1492 iexplore.exe Token: 34 1492 iexplore.exe Token: 35 1492 iexplore.exe Token: 36 1492 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exeiexplore.exepid process 4852 explorer.exe 1492 iexplore.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exeexplorer.exedescription pid process target process PID 1608 wrote to memory of 4852 1608 bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe explorer.exe PID 1608 wrote to memory of 4852 1608 bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe explorer.exe PID 1608 wrote to memory of 4852 1608 bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe explorer.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe PID 4852 wrote to memory of 1492 4852 explorer.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe"C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Firefox.dllFilesize
241KB
MD5fc6f62ca501a1f48316442782fe45a46
SHA1586c250091ed5d3d892c7c73e500c934851341c2
SHA256611a326fc36a84aea51999f13e4db99c99ac7f0c2eaa917f403561f9183d99f0
SHA512587a359d7a84893b70f317b446451c9348986f1df76c0411520d44ae0009384576591bddb3fc6b789fd7ffe1fa592cd09387607f4b145972028ebc7dbe7c9f61
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
56KB
MD5ec99a9ba6fd95b806fce0fe51538910e
SHA149e4184216a22bcf78c3471642233a9224a74f20
SHA256bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd
SHA512bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
56KB
MD5ec99a9ba6fd95b806fce0fe51538910e
SHA149e4184216a22bcf78c3471642233a9224a74f20
SHA256bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd
SHA512bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda
-
memory/4852-132-0x0000000000000000-mapping.dmp