93d1f15549e14a86dcb8e887e9dd8dced9236cc8c3ff48af384374f98ff9eea7

Analysis

max time kernel
182s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

810KB
MD5

8d2869ea08633e1625290032e36987e9
SHA1

c2ef9793113ab8bb2185d918284148499acbfac5
SHA256

93d1f15549e14a86dcb8e887e9dd8dced9236cc8c3ff48af384374f98ff9eea7
SHA512

476e9b9806c07fb4a6881dfb48b7bc1a643a074925b191b69b2b7c376b6451858b85ae589e05cf13aa97854b56a6b72fe73f1dd7379297ac205a079e0c299dc5
SSDEEP

12288:er7EAxBmNzFLrWY5SWUWoLS+OpB+pAJobBgrNQ3kbO6PIqcSOt:QoBrWYlb4ujobBUakyyIb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3896	PBBNAXU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PBBNAXU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3060	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2272	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3260	file.exe
3260	file.exe
3852	powershell.exe
4444	powershell.exe
3852	powershell.exe
4444	powershell.exe
3896	PBBNAXU.exe
3896	PBBNAXU.exe
3452	powershell.exe
2176	powershell.exe
3452	powershell.exe
2176	powershell.exe
3896	PBBNAXU.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	file.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3896	PBBNAXU.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3852	3260	file.exe	85
PID 3260 wrote to memory of 3852	3260	file.exe	85
PID 3260 wrote to memory of 4444	3260	file.exe	86
PID 3260 wrote to memory of 4444	3260	file.exe	86
PID 3260 wrote to memory of 4844	3260	file.exe	89
PID 3260 wrote to memory of 4844	3260	file.exe	89
PID 4844 wrote to memory of 2272	4844	cmd.exe	91
PID 4844 wrote to memory of 2272	4844	cmd.exe	91
PID 4844 wrote to memory of 3896	4844	cmd.exe	92
PID 4844 wrote to memory of 3896	4844	cmd.exe	92
PID 3896 wrote to memory of 3452	3896	PBBNAXU.exe	93
PID 3896 wrote to memory of 3452	3896	PBBNAXU.exe	93
PID 3896 wrote to memory of 2176	3896	PBBNAXU.exe	95
PID 3896 wrote to memory of 2176	3896	PBBNAXU.exe	95
PID 3896 wrote to memory of 4868	3896	PBBNAXU.exe	97
PID 3896 wrote to memory of 4868	3896	PBBNAXU.exe	97
PID 4868 wrote to memory of 3060	4868	cmd.exe	99
PID 4868 wrote to memory of 3060	4868	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DF5.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2272
- - C:\ProgramData\github\PBBNAXU.exe
    "C:\ProgramData\github\PBBNAXU.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PBBNAXU" /tr "C:\ProgramData\github\PBBNAXU.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PBBNAXU" /tr "C:\ProgramData\github\PBBNAXU.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\github\PBBNAXU.exe

Filesize
810KB

MD5
8d2869ea08633e1625290032e36987e9

SHA1
c2ef9793113ab8bb2185d918284148499acbfac5

SHA256
93d1f15549e14a86dcb8e887e9dd8dced9236cc8c3ff48af384374f98ff9eea7

SHA512
476e9b9806c07fb4a6881dfb48b7bc1a643a074925b191b69b2b7c376b6451858b85ae589e05cf13aa97854b56a6b72fe73f1dd7379297ac205a079e0c299dc5

Download Submit
C:\ProgramData\github\PBBNAXU.exe

Filesize
810KB

MD5
8d2869ea08633e1625290032e36987e9

SHA1
c2ef9793113ab8bb2185d918284148499acbfac5

SHA256
93d1f15549e14a86dcb8e887e9dd8dced9236cc8c3ff48af384374f98ff9eea7

SHA512
476e9b9806c07fb4a6881dfb48b7bc1a643a074925b191b69b2b7c376b6451858b85ae589e05cf13aa97854b56a6b72fe73f1dd7379297ac205a079e0c299dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DF5.tmp.bat

Filesize
142B

MD5
7d47c6fb6b353c10085c0b72392b4e4a

SHA1
8de77d793c3d94b48f48b8d6b846e8d6179f32cd

SHA256
6822602b31c5360e51ed9c7f5f01bf3f876538693ddef53ce51d86196bd57bc1

SHA512
bc2a17f80d6872d1ad2ebf2cd4804f748356e95162e0666896a555be6860bc0ad1e8ae66f731d087c28b38f85164455abc44056a67bed8fe370bf41b452d2c3c

Download Submit
memory/2176-181-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/2176-185-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3260-146-0x0000000000890000-0x00000000008D3000-memory.dmp

Filesize
268KB

Download
memory/3260-140-0x00007FFB8AFF0000-0x00007FFB8B191000-memory.dmp

Filesize
1.6MB

Download
memory/3260-144-0x00007FFB6D570000-0x00007FFB6D6BE000-memory.dmp

Filesize
1.3MB

Download
memory/3260-135-0x00007FFB7CBD0000-0x00007FFB7CC7A000-memory.dmp

Filesize
680KB

Download
memory/3260-145-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3260-150-0x0000000000940000-0x0000000000A70000-memory.dmp

Filesize
1.2MB

Download
memory/3260-151-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3260-134-0x0000000000890000-0x00000000008D3000-memory.dmp

Filesize
268KB

Download
memory/3260-141-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3260-137-0x00007FFB8A0D0000-0x00007FFB8A16E000-memory.dmp

Filesize
632KB

Download
memory/3260-143-0x0000000000940000-0x0000000000A70000-memory.dmp

Filesize
1.2MB

Download
memory/3260-142-0x00007FFB8B3D0000-0x00007FFB8B3FB000-memory.dmp

Filesize
172KB

Download
memory/3260-139-0x00007FFB6E420000-0x00007FFB6E4DD000-memory.dmp

Filesize
756KB

Download
memory/3260-138-0x00007FFB86C90000-0x00007FFB86CA2000-memory.dmp

Filesize
72KB

Download
memory/3260-132-0x0000000000940000-0x0000000000A70000-memory.dmp

Filesize
1.2MB

Download
memory/3260-136-0x0000000000940000-0x0000000000A70000-memory.dmp

Filesize
1.2MB

Download
memory/3452-180-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3452-184-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3852-153-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3852-159-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3896-173-0x0000000000A00000-0x0000000000A43000-memory.dmp

Filesize
268KB

Download
memory/3896-191-0x00007FFB6CC90000-0x00007FFB6CD92000-memory.dmp

Filesize
1.0MB

Download
memory/3896-170-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3896-171-0x00007FFB8B3D0000-0x00007FFB8B3FB000-memory.dmp

Filesize
172KB

Download
memory/3896-195-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3896-166-0x00007FFB8A0D0000-0x00007FFB8A16E000-memory.dmp

Filesize
632KB

Download
memory/3896-174-0x0000000000F00000-0x0000000001030000-memory.dmp

Filesize
1.2MB

Download
memory/3896-176-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3896-175-0x00007FFB6E070000-0x00007FFB6E1BE000-memory.dmp

Filesize
1.3MB

Download
memory/3896-165-0x00007FFB7CBD0000-0x00007FFB7CC7A000-memory.dmp

Filesize
680KB

Download
memory/3896-194-0x0000000000F00000-0x0000000001030000-memory.dmp

Filesize
1.2MB

Download
memory/3896-169-0x00007FFB8AFF0000-0x00007FFB8B191000-memory.dmp

Filesize
1.6MB

Download
memory/3896-168-0x00007FFB6E420000-0x00007FFB6E4DD000-memory.dmp

Filesize
756KB

Download
memory/3896-172-0x0000000000F00000-0x0000000001030000-memory.dmp

Filesize
1.2MB

Download
memory/3896-193-0x00007FFB88140000-0x00007FFB8817B000-memory.dmp

Filesize
236KB

Download
memory/3896-192-0x00007FFB8A670000-0x00007FFB8A6DB000-memory.dmp

Filesize
428KB

Download
memory/3896-167-0x00007FFB86C90000-0x00007FFB86CA2000-memory.dmp

Filesize
72KB

Download
memory/3896-186-0x0000000000F00000-0x0000000001030000-memory.dmp

Filesize
1.2MB

Download
memory/3896-190-0x00007FFB6E230000-0x00007FFB6E265000-memory.dmp

Filesize
212KB

Download
memory/3896-188-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/3896-189-0x00007FFB89070000-0x00007FFB89097000-memory.dmp

Filesize
156KB

Download
memory/4444-156-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download
memory/4444-152-0x000002276BD00000-0x000002276BD22000-memory.dmp

Filesize
136KB

Download
memory/4444-160-0x00007FFB6C1C0000-0x00007FFB6CC81000-memory.dmp

Filesize
10.8MB

Download