Analysis
-
max time kernel
111s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2022, 13:15
Behavioral task
behavioral1
Sample
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
Resource
win10v2004-20221111-en
General
-
Target
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe
-
Size
251KB
-
MD5
25b11ce189d36095c214ec12fd1c4e78
-
SHA1
fb194c5a31b57b4fda3ca58145636be85e5f5172
-
SHA256
f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3
-
SHA512
0be17810ddbcfad5eddc5086962a8ee44451fc8c20035dbc1660e2339cdcc29ad65701b1538fa32f25eb5be7e68f4a3235cda4c80c21d8ca165eed49cda465da
-
SSDEEP
6144:ByX9Id6xvIhgsQkhTSTou+e0+WMf97z8IAO0TJTbw:ByX86xvIhgZkhTcJbebw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 3284 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3284 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3144 wrote to memory of 4928 3144 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 79 PID 3144 wrote to memory of 4928 3144 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 79 PID 3144 wrote to memory of 4928 3144 f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe 79 PID 4928 wrote to memory of 3284 4928 cmd.exe 81 PID 4928 wrote to memory of 3284 4928 cmd.exe 81 PID 4928 wrote to memory of 3284 4928 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe"C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f7e2d103fb403399e4dca1625cd9a733b0fd50e04fdeb435a81ade7b6f7d56e3.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-