92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 07:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe
Size

670KB
MD5

815e86b824f259f0fee44c04b156f477
SHA1

a7bc276d0302f67a902a7b592352c2dc63a2116c
SHA256

92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624
SHA512

0b686d65042fed388751b926d8ece15271afb44b93d5e7e62abcc5a1a5991bab26b24ad780f10c326e4bd12d1b09589db80be15f12abef7d00fc311fb0c6e899
SSDEEP

12288:WzFGgI2b5QqOr3xZlxvvkPYj+rQlxQvmBZ4/wu6o5m6:W5hTOr3xZDUP/jeBZ4Yu1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\log.txt	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
5028	taskkill.exe
1292	taskkill.exe
856	taskkill.exe
1152	taskkill.exe
4348	taskkill.exe
3264	taskkill.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe
796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 5072	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	82
PID 796 wrote to memory of 5072	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	82
PID 796 wrote to memory of 5072	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	82
PID 796 wrote to memory of 4008	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	84
PID 796 wrote to memory of 4008	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	84
PID 796 wrote to memory of 4008	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	84
PID 796 wrote to memory of 1456	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	87
PID 796 wrote to memory of 1456	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	87
PID 796 wrote to memory of 1456	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	87
PID 5072 wrote to memory of 1152	5072	cmd.exe	86
PID 5072 wrote to memory of 1152	5072	cmd.exe	86
PID 5072 wrote to memory of 1152	5072	cmd.exe	86
PID 796 wrote to memory of 516	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	88
PID 796 wrote to memory of 516	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	88
PID 796 wrote to memory of 516	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	88
PID 796 wrote to memory of 3148	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	91
PID 796 wrote to memory of 3148	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	91
PID 796 wrote to memory of 3148	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	91
PID 796 wrote to memory of 3128	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	93
PID 796 wrote to memory of 3128	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	93
PID 796 wrote to memory of 3128	796	92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe	93
PID 516 wrote to memory of 4348	516	cmd.exe	95
PID 516 wrote to memory of 4348	516	cmd.exe	95
PID 516 wrote to memory of 4348	516	cmd.exe	95
PID 4008 wrote to memory of 3264	4008	cmd.exe	96
PID 4008 wrote to memory of 3264	4008	cmd.exe	96
PID 4008 wrote to memory of 3264	4008	cmd.exe	96
PID 3148 wrote to memory of 5028	3148	cmd.exe	97
PID 3148 wrote to memory of 5028	3148	cmd.exe	97
PID 3148 wrote to memory of 5028	3148	cmd.exe	97
PID 1456 wrote to memory of 1292	1456	cmd.exe	98
PID 1456 wrote to memory of 1292	1456	cmd.exe	98
PID 1456 wrote to memory of 1292	1456	cmd.exe	98
PID 3128 wrote to memory of 856	3128	cmd.exe	99
PID 3128 wrote to memory of 856	3128	cmd.exe	99
PID 3128 wrote to memory of 856	3128	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe
"C:\Users\Admin\AppData\Local\Temp\92a1b21b1ab0c846c50a2cc6e97b93bb70e1e3c9e9b1b43e5d27cca21baf3624.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im 360SE.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360SE.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im IEXPLORE.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im IEXPLORE.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im iexplore.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im iexplore.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im Aliimsafe.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Aliimsafe.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill/f /im AliIm.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AliIm.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads