Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 13:30
Static task
static1
Behavioral task
behavioral1
Sample
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
Resource
win10v2004-20221111-en
General
-
Target
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe
-
Size
512KB
-
MD5
d036fabd76bf32570481a2224706ddef
-
SHA1
f52ce02926904c648f4b4a5a4a5ad14db09c45e0
-
SHA256
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52
-
SHA512
752c2de69fc94e66e772fd48721d71ee56da6156e7460d3a415f702a07fc14c1645e5ef7885142b8207437ba9536cd533d0fec8d8f064bc70453bd457c9d5968
-
SSDEEP
12288:SZHVhCLTfKQwDvD5H6Mrb+/0ULRctxIbuOUbXEJ6Ay:EH0KQoP3+/MSHqb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
daff.exetes.exepid process 1368 daff.exe 2072 tes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
daff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation daff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tes.exedescription pid process Token: SeDebugPrivilege 2072 tes.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exedaff.exedescription pid process target process PID 4104 wrote to memory of 1368 4104 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 4104 wrote to memory of 1368 4104 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 4104 wrote to memory of 1368 4104 f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe daff.exe PID 1368 wrote to memory of 2072 1368 daff.exe tes.exe PID 1368 wrote to memory of 2072 1368 daff.exe tes.exe PID 1368 wrote to memory of 2072 1368 daff.exe tes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe"C:\Users\Admin\AppData\Local\Temp\f9e2717a7c8bd0c3ec8216294d4db74d91b8082d5f68dd223fc7c0bab3040a52.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\daff.exe"C:\Users\Admin\AppData\Local\Temp\daff.exe" -s -pfgr6edfgr6trfgr6yedgesgd2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tes.exe"C:\Users\Admin\AppData\Roaming\tes.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\daff.exeFilesize
596KB
MD598a500f286659ef1245ff1a336b549cc
SHA10073ca9bbb842f1a5e6536bf5e46e013f2bd760d
SHA256102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0
SHA512a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b
-
C:\Users\Admin\AppData\Local\Temp\daff.exeFilesize
596KB
MD598a500f286659ef1245ff1a336b549cc
SHA10073ca9bbb842f1a5e6536bf5e46e013f2bd760d
SHA256102e283847e62a965df4b2adfdfb1fa21ead76e3d94887a93783e0c55a903ee0
SHA512a16601ee0cf217ad3ec6648b24cefb46289c21f7241ce1abe364bc174fb8e0ab5399ffcaaa4b8d5e22594155eae965ef34704bf77085025b81012275e092195b
-
C:\Users\Admin\AppData\Roaming\tes.exeFilesize
427KB
MD5cc4a0feab7924798704df93b8ee167a7
SHA1b0f312a93d6093f81e3e846d18180aae59676d9a
SHA2560616a8d3fdd9bd72ae06eb8ce54960d1453c95b0e8a4c24ddcb597446d37a97d
SHA5123aca27b7380372a6b6f00dd78d804c4ffaba9c3e3f74e020785a23a56cc1a80a78f8acf902d383137e51f26183ed12ab6bb830395467493200dd44faca507356
-
memory/1368-132-0x0000000000000000-mapping.dmp
-
memory/2072-135-0x0000000000000000-mapping.dmp
-
memory/2072-137-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2072-138-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2072-139-0x00000000071A0000-0x0000000007216000-memory.dmpFilesize
472KB
-
memory/2072-140-0x0000000007220000-0x00000000072B2000-memory.dmpFilesize
584KB
-
memory/2072-141-0x00000000072F0000-0x0000000007356000-memory.dmpFilesize
408KB
-
memory/2072-142-0x0000000007360000-0x0000000007904000-memory.dmpFilesize
5.6MB