Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 18:38
Static task
static1
Behavioral task
behavioral1
Sample
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
Resource
win10v2004-20220812-en
General
-
Target
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe
-
Size
43KB
-
MD5
c494de9e9a77b07ad0ae470b6e68a20e
-
SHA1
f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
-
SHA256
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
-
SHA512
ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
SSDEEP
768:9UdNT8uX2d5SogqD0rK9GTW2Es5E1v6HatjHX8qvtG1GlIL19x2N/UT6HCCjPkaW:K6GvUmaxTitj2xHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ssh.exepid process 2240 ssh.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe -
Drops startup file 2 IoCs
Processes:
ssh.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bb7bf955d6f8e836accef2364db9c4.exe ssh.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bb7bf955d6f8e836accef2364db9c4.exe ssh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ssh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a6bb7bf955d6f8e836accef2364db9c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ssh.exe\" .." ssh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a6bb7bf955d6f8e836accef2364db9c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ssh.exe\" .." ssh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ssh.exepid process 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe 2240 ssh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ssh.exedescription pid process Token: SeDebugPrivilege 2240 ssh.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exessh.exedescription pid process target process PID 3524 wrote to memory of 2240 3524 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 3524 wrote to memory of 2240 3524 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 3524 wrote to memory of 2240 3524 73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe ssh.exe PID 2240 wrote to memory of 4764 2240 ssh.exe netsh.exe PID 2240 wrote to memory of 4764 2240 ssh.exe netsh.exe PID 2240 wrote to memory of 4764 2240 ssh.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe"C:\Users\Admin\AppData\Local\Temp\73dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ssh.exe"C:\Users\Admin\AppData\Local\Temp\ssh.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ssh.exe" "ssh.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ssh.exeFilesize
43KB
MD5c494de9e9a77b07ad0ae470b6e68a20e
SHA1f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
SHA25673dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
SHA512ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
C:\Users\Admin\AppData\Local\Temp\ssh.exeFilesize
43KB
MD5c494de9e9a77b07ad0ae470b6e68a20e
SHA1f4ed93992928e2da478ca70d61dc6fc25f6bb6a7
SHA25673dff0c07107da7dc8a00037509cd10f277dfef01884d62ffbcb40faf6e8e826
SHA512ae85cd6f2c87ba4c7b5c63688541dc8b83166f7ba4d86e86908c1e8f6fff749109b0811fcbc9b85c502f6a8c08f758f8634c30aefa1528df6de3d02002925b2d
-
memory/2240-133-0x0000000000000000-mapping.dmp
-
memory/2240-138-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/2240-139-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/3524-132-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/3524-136-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4764-137-0x0000000000000000-mapping.dmp