Analysis

  • max time kernel
    196s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 23:13

General

  • Target

    ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe

  • Size

    421KB

  • MD5

    5fc4c26af77c3ab81417b6dfd9975004

  • SHA1

    183a060d2e2864990cc732e451e416d2475fdc85

  • SHA256

    ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13

  • SHA512

    83cb849a719c0ecbb162e27f9bfda486513223bb07b4dffe641668d55dcde3f2682894c80492b48922a826d4395667b898804779327cf33b0c982f6464b2e16b

  • SSDEEP

    12288:Szy6rRxEUzGcZzqWrps18NbX4QsmD4lKBzIe:Z6rTd51ls18F4QrDtBX

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe
    "C:\Users\Admin\AppData\Local\Temp\ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\bootre\1.exe
      "C:\bootre\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "c:\bootre\urlcore.exe /h /r /t /b 1753068"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5004
        • \??\c:\bootre\urlcore.exe
          c:\bootre\urlcore.exe /h /r /t /b 1753068
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\bootre\1.exe

    Filesize

    16KB

    MD5

    8fe53f1ebae6ce30cff8183d865fd38b

    SHA1

    32b96178c4c03a04b2786fbdb5d63b19197c3f7e

    SHA256

    08171b4a15d891b9747a159903002e2f879fc5c712c0d7ce0238754abc38dd0a

    SHA512

    1ca8d41bb55a748d5a65fa815ca627c5652a77726ed5dede0147791a16827c39d16813073ca03bff9fce4457d135cc581a7fa62bd4d7df6bca7127368e032bd8

  • C:\bootre\1.exe

    Filesize

    16KB

    MD5

    8fe53f1ebae6ce30cff8183d865fd38b

    SHA1

    32b96178c4c03a04b2786fbdb5d63b19197c3f7e

    SHA256

    08171b4a15d891b9747a159903002e2f879fc5c712c0d7ce0238754abc38dd0a

    SHA512

    1ca8d41bb55a748d5a65fa815ca627c5652a77726ed5dede0147791a16827c39d16813073ca03bff9fce4457d135cc581a7fa62bd4d7df6bca7127368e032bd8

  • C:\bootre\urlcore.exe

    Filesize

    335KB

    MD5

    687414bc735030cf270bb2a376d23162

    SHA1

    b6b661b52625b26b23afab5b60adac2b934b6892

    SHA256

    085f35dde8e0446cc83ae8c7a04b63f831b63567408c8ae077a826ee74bf45ec

    SHA512

    0cfccfc924aaf4b8e6fec76190b8888f41103874d426fff19763d07161535348a9daeba6ea6d93fac28325f3b2b79f6e009c1bf0e65c749347806afae87b0488

  • \??\c:\bootre\urlcore.exe

    Filesize

    335KB

    MD5

    687414bc735030cf270bb2a376d23162

    SHA1

    b6b661b52625b26b23afab5b60adac2b934b6892

    SHA256

    085f35dde8e0446cc83ae8c7a04b63f831b63567408c8ae077a826ee74bf45ec

    SHA512

    0cfccfc924aaf4b8e6fec76190b8888f41103874d426fff19763d07161535348a9daeba6ea6d93fac28325f3b2b79f6e009c1bf0e65c749347806afae87b0488

  • memory/2016-141-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

  • memory/2016-142-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB