Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:51
Static task
static1
Behavioral task
behavioral1
Sample
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
Resource
win7-20220901-en
General
-
Target
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe
-
Size
73KB
-
MD5
10482931f17f3be85f40317d11e58018
-
SHA1
34a80a5d490c6d0bdc78e8f391557ca08683bb51
-
SHA256
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b
-
SHA512
32518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263
-
SSDEEP
1536:5SS/pmHEC0fEG7MNViGozuJZOiEnJuNCIzZpZ:5RpPC0fEG7uiGoCJYi+Jcpzt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 1020 Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3220 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exepid process 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exeServer.exedescription pid process Token: SeDebugPrivilege 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe Token: SeDebugPrivilege 1020 Server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.execmd.execmd.exedescription pid process target process PID 2148 wrote to memory of 852 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 2148 wrote to memory of 852 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 2148 wrote to memory of 852 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 2148 wrote to memory of 4772 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 2148 wrote to memory of 4772 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 2148 wrote to memory of 4772 2148 79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe cmd.exe PID 852 wrote to memory of 3048 852 cmd.exe schtasks.exe PID 852 wrote to memory of 3048 852 cmd.exe schtasks.exe PID 852 wrote to memory of 3048 852 cmd.exe schtasks.exe PID 4772 wrote to memory of 3220 4772 cmd.exe timeout.exe PID 4772 wrote to memory of 3220 4772 cmd.exe timeout.exe PID 4772 wrote to memory of 3220 4772 cmd.exe timeout.exe PID 4772 wrote to memory of 1020 4772 cmd.exe Server.exe PID 4772 wrote to memory of 1020 4772 cmd.exe Server.exe PID 4772 wrote to memory of 1020 4772 cmd.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe"C:\Users\Admin\AppData\Local\Temp\79804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Server" /tr '"C:\Users\Admin\AppData\Roaming\Server.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Server" /tr '"C:\Users\Admin\AppData\Roaming\Server.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC72D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC72D.tmp.batFilesize
150B
MD5ca7026115427aa79ec9ec03d96d3a7c5
SHA1bdcf12f5b51434053286b97f1e4363d02ac4368a
SHA256ece6abeac2ce713c4b583769d7f913a6c97046db741d91d7a85b9841d38d041d
SHA512ef9bf5e33849e8ec5e0e9d549e0fe8aa45cc7aeff7974ba6514a2b41789245e7119c45f6f2666c253c0a63d2cf19096312a21509eaada2fe1ce974b81f682668
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
73KB
MD510482931f17f3be85f40317d11e58018
SHA134a80a5d490c6d0bdc78e8f391557ca08683bb51
SHA25679804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b
SHA51232518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
73KB
MD510482931f17f3be85f40317d11e58018
SHA134a80a5d490c6d0bdc78e8f391557ca08683bb51
SHA25679804cfea2659a8842450efceb06360b6cf5712d6e7685cb0244ab01d2ffd41b
SHA51232518611ed1ed3a627be57a6cf92b9fed5c5c955d39335c630cdbede72134ec601ac9ad075b1de3598a8ccc7f74a27b9bc2b8ad95093cf180e21225db8161263
-
memory/852-134-0x0000000000000000-mapping.dmp
-
memory/1020-139-0x0000000000000000-mapping.dmp
-
memory/2148-132-0x0000000000560000-0x0000000000578000-memory.dmpFilesize
96KB
-
memory/2148-133-0x0000000004FF0000-0x000000000508C000-memory.dmpFilesize
624KB
-
memory/3048-136-0x0000000000000000-mapping.dmp
-
memory/3220-138-0x0000000000000000-mapping.dmp
-
memory/4772-135-0x0000000000000000-mapping.dmp