599881300a9ff3d7aa3319fd9db80e712f6cbfb38138c047c18810fc2e722b2e

Analysis

max time kernel
11s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Token.exe
Size

48KB
MD5

f8d2c369baf260e874cfe2ffdab22251
SHA1

c0e01407302197f4e52d39fe085fc53812b40cfe
SHA256

599881300a9ff3d7aa3319fd9db80e712f6cbfb38138c047c18810fc2e722b2e
SHA512

cb1870bd77aac65f7694051a61fa32392bb12e53a20e52c8ebee5b740b8f38e371b27c00b54c44e52c2f50a082c8b914b835ac611e33ffee40c151039d5ee7eb
SSDEEP

768:+e128jKMyqDAfFfknDM/E56s39GS1Q62cjW3HSumDTn/QpCSmO4e+vunNA+F:+wQGmA9R1QbcjW3yum/nOiOEunNA+F

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Token.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Token.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2148	notepad.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2148	2792	Token.exe	86
PID 2792 wrote to memory of 2148	2792	Token.exe	86
PID 2792 wrote to memory of 2148	2792	Token.exe	86
PID 2792 wrote to memory of 3476	2792	Token.exe	87
PID 2792 wrote to memory of 3476	2792	Token.exe	87
PID 2792 wrote to memory of 3476	2792	Token.exe	87

C:\Users\Admin\AppData\Local\Temp\Token.exe
"C:\Users\Admin\AppData\Local\Temp\Token.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\ResultCheck.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ResultCheck.txt

Filesize
76B

MD5
5ea184dee9375c979f8c6dfe0f208aa1

SHA1
cb39f161936eb8999810e704f8ec34c46cd3f33c

SHA256
a5fdc1e0259d19f9d84a7d963636bf9e49e423f471363ed117e47cd644454a49

SHA512
a4e7e10458b6bbd8b439bfe001affde8689c0f7fc7ea64be71483cc7e20d2e11fbf81c9d0ff9acdd898f05181e747af6395209fd4fb8d67c249b3a821a4cbd57

Download Submit