Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
Resource
win10v2004-20220901-en
General
-
Target
b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
-
Size
525KB
-
MD5
15f3926bfc62adb777e785feb988e3f0
-
SHA1
ca297feaedbc08355000cd3c7f2e3b285f6df06f
-
SHA256
b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4
-
SHA512
ec1bb9c9cdc5bc6f19c879050fdd392eafab47b5b5b6b92f4bf3c8a0cf09e025fc8f9317575b7d171f508b6c06945b1cd1fb12c580867f37cd4def4b6d630522
-
SSDEEP
12288:Si6fW93bu87hmkn+IHxIEAmAmhfWjkE4UQp:Sn6KihhBIfm/J
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4812 95547956.exe -
resource yara_rule behavioral2/memory/3548-132-0x0000000014000000-0x0000000014011000-memory.dmp upx behavioral2/memory/3548-135-0x0000000014000000-0x0000000014011000-memory.dmp upx behavioral2/memory/3548-136-0x0000000014000000-0x0000000014011000-memory.dmp upx behavioral2/memory/3548-138-0x0000000014000000-0x0000000014011000-memory.dmp upx behavioral2/memory/4812-142-0x0000000014000000-0x000000001400F000-memory.dmp upx behavioral2/memory/4812-145-0x0000000014000000-0x000000001400F000-memory.dmp upx behavioral2/memory/4812-146-0x0000000014000000-0x000000001400F000-memory.dmp upx behavioral2/memory/4812-147-0x0000000014000000-0x000000001400F000-memory.dmp upx behavioral2/memory/3548-149-0x0000000014000000-0x0000000014011000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\95547956 = "C:\\ProgramData\\95547956\\95547956.exe" b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\95547956 = "C:\\ProgramData\\95547956\\95547956.exe" 95547956.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe" b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15537964 = "C:\\ProgramData\\15537964\\15537964.exe" b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4812 95547956.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4812 95547956.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3548 wrote to memory of 4812 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 81 PID 3548 wrote to memory of 4812 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 81 PID 3548 wrote to memory of 4812 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 81 PID 3548 wrote to memory of 2868 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 82 PID 3548 wrote to memory of 2868 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 82 PID 3548 wrote to memory of 2868 3548 b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe"C:\Users\Admin\AppData\Local\Temp\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\ProgramData\95547956\95547956.exeC:\ProgramData\95547956\95547956.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40555828.cmd" "2⤵PID:2868
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD54d8eddeae0b397f9433f8df8534ac2e5
SHA116510a4a40f5e7b10bc419e2e21a7f62857b26a4
SHA256ae3ec95252886ba58b85c58b1fc73fbd5cbd5c2fb108e39a9356c2246981e8f9
SHA512d8421fcd7581193f3fa1e845c96ad0fd747acba772f98128dfd4ec68e6b607ee74ce3719db49e14f9b52afe44d352229d4e47b90f04d86fe8c0b7cae69e45731
-
Filesize
46KB
MD54d8eddeae0b397f9433f8df8534ac2e5
SHA116510a4a40f5e7b10bc419e2e21a7f62857b26a4
SHA256ae3ec95252886ba58b85c58b1fc73fbd5cbd5c2fb108e39a9356c2246981e8f9
SHA512d8421fcd7581193f3fa1e845c96ad0fd747acba772f98128dfd4ec68e6b607ee74ce3719db49e14f9b52afe44d352229d4e47b90f04d86fe8c0b7cae69e45731
-
Filesize
325B
MD54cc15e0b11f9f09c2606d4ed4511aaf3
SHA1dda0c8264df3233b6d9adff2403788daa87dc86b
SHA2567444cda3b2c7fefcf3dc5c9be3c18bc1606866a3f6b2a2df90d549e979959a58
SHA512f4660d79d1adc48d3372773c2f8435ffddcbcbd39c1bfb2eff469511bbe37d3f9f685930a3da0fa551b7324d2668a634f49241dbe03a499bd11beaebd2acef65