Analysis
-
max time kernel
91s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Resource
win10v2004-20220901-en
General
-
Target
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
-
Size
560KB
-
MD5
cc097f39b5675b5170eeaefad2cdb6e5
-
SHA1
3e6c1af8b7e4df9ee7d90c399da221dbb8194be8
-
SHA256
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2
-
SHA512
3295c6aa1416df26bd3cbf7e0c7a91146e73ac4e8459b102b4fcf6e606c524d4d961fdc25374ac20a4727ea72e1f15e07fd20145f5712af33c4654d77fa8b256
-
SSDEEP
12288:Y3nZMhJ+ubNJtqyk4YAY+hfOh43nofBD5qGhRDUOOxwROywrE2+:Y3nZqfbvtKfAThc43nYBD1DLTiEt
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4688 324ekdown.cam.com 1116 win.exe 4816 mshlp.exe 4992 win32.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 324ekdown.cam.com Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation win.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xvid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mshlp.exe" win32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4536 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4688 1852 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 84 PID 1852 wrote to memory of 4688 1852 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 84 PID 1852 wrote to memory of 4688 1852 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 84 PID 4688 wrote to memory of 1116 4688 324ekdown.cam.com 86 PID 4688 wrote to memory of 1116 4688 324ekdown.cam.com 86 PID 4688 wrote to memory of 1116 4688 324ekdown.cam.com 86 PID 1116 wrote to memory of 4816 1116 win.exe 87 PID 1116 wrote to memory of 4816 1116 win.exe 87 PID 1116 wrote to memory of 4816 1116 win.exe 87 PID 1116 wrote to memory of 4992 1116 win.exe 88 PID 1116 wrote to memory of 4992 1116 win.exe 88 PID 1116 wrote to memory of 4992 1116 win.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe" -p3213⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\mshlp.exe"C:\Users\Admin\AppData\Local\Temp\mshlp.exe"4⤵
- Executes dropped EXE
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exe"C:\Users\Admin\AppData\Local\Temp\win32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4992
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
49KB
MD52afd69b56cf24e5b216e640a979497ee
SHA15db3fcba21bbfc45581d09936da33bfce2dcc675
SHA25681962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522
SHA512cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81
-
Filesize
49KB
MD52afd69b56cf24e5b216e640a979497ee
SHA15db3fcba21bbfc45581d09936da33bfce2dcc675
SHA25681962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522
SHA512cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81
-
Filesize
139KB
MD5dee240d01db48ec0704a4520695db7a9
SHA12046c4b30c73734920d10416457594f72c1e2dac
SHA256dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a
SHA512c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99
-
Filesize
139KB
MD5dee240d01db48ec0704a4520695db7a9
SHA12046c4b30c73734920d10416457594f72c1e2dac
SHA256dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a
SHA512c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99
-
Filesize
48KB
MD5ab4ee7911f9c760f4155956a2b4378f4
SHA14faae72c80e41f972a39a712dd18c508510868a9
SHA256e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b
SHA51228da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9
-
Filesize
48KB
MD5ab4ee7911f9c760f4155956a2b4378f4
SHA14faae72c80e41f972a39a712dd18c508510868a9
SHA256e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b
SHA51228da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9