Analysis
-
max time kernel
70s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Resource
win10v2004-20220812-en
General
-
Target
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
-
Size
184KB
-
MD5
4d36e000b64bf076db39a16e2ed6fcdf
-
SHA1
325887bf4aa370235e6e2ae34faddf56d6143643
-
SHA256
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5
-
SHA512
205cd35991fc2535ddf618c80ab30abaf1bde509007480ecd77cee5eb941e624ba6b92d5e67fe8e40962d4635181e692cb4f0edcc31c3f2bfa06f7e120209795
-
SSDEEP
3072:9ydJq5oyVzs+h0JI5J0SpUldLS3lgGBd/AkKHBRQ/rPOy9xnnHsGvPwsAvWDA:4W2+tUnoC2/ALhyzpsGvPw6k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4720 OFFICE~1.EXE -
resource yara_rule behavioral2/files/0x0006000000022f77-133.dat upx behavioral2/files/0x0006000000022f77-134.dat upx behavioral2/memory/4720-135-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/4720-136-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation OFFICE~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2996 reg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3440 wrote to memory of 4720 3440 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 80 PID 3440 wrote to memory of 4720 3440 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 80 PID 3440 wrote to memory of 4720 3440 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 80 PID 4720 wrote to memory of 3400 4720 OFFICE~1.EXE 81 PID 4720 wrote to memory of 3400 4720 OFFICE~1.EXE 81 PID 4720 wrote to memory of 3400 4720 OFFICE~1.EXE 81 PID 3400 wrote to memory of 2996 3400 cmd.exe 83 PID 3400 wrote to memory of 2996 3400 cmd.exe 83 PID 3400 wrote to memory of 2996 3400 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\reg.exereg save HKLM\SOFTWARE c:\OfficeRegBak.hiv4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
981B
MD5b8f78830dd1782e12b8807aea7384ac2
SHA1bee8e85498a0e0add628bda558dfe652554e0ec4
SHA256c374fabdfe02c9434af163e230d88c34387a461efb6fe251f602a45766dfba35
SHA5123799f6d162bdfc01bad49b22490387c8c71c36bf163bca22748b47e5a48c7b9e4b46c40f94246b08368a972e0ade4c6af0b59a681aeb3f77640fdc7e1d01f4fa