b03d831a555a8366ac262fa9d13fde89b675803d41c57d36f07090a0cedab154

Analysis

max time kernel
91s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

671KB
MD5

774dc51d4da8bbc4e682008bf4d61aa2
SHA1

0a12ab2bed3ce4e701e534df5c24bfef8dcc653b
SHA256

b03d831a555a8366ac262fa9d13fde89b675803d41c57d36f07090a0cedab154
SHA512

38bfce718ca25bba53e5ceb3de3c6b7c643bfdd358094ab8d0ec288415391146e029d778a43afe3edb86e4bf8d7fde2a65e3f553ee2467437f6b3de1eb3b2306
SSDEEP

12288:UF3gflcMVpRY6HxOVU9z+EHE1tKuSoNvXOTwYM0:z6MVpcUptU9A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SOA.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SOA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4336 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SOA.exe

pid process

5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
5048 SOA.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SOA.exe

description pid process

Token: SeDebugPrivilege 5048 SOA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SOA.exe

pid	process
4336	schtasks.exe

pid	process
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe
5048	SOA.exe

description	pid	process
Token: SeDebugPrivilege	5048	SOA.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 5048 wrote to memory of 4336	5048	SOA.exe	schtasks.exe
PID 5048 wrote to memory of 4336	5048	SOA.exe	schtasks.exe
PID 5048 wrote to memory of 4336	5048	SOA.exe	schtasks.exe
PID 5048 wrote to memory of 1936	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1936	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1936	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1872	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1872	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1872	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1924	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1924	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1924	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1788	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1788	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 1788	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 904	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 904	5048	SOA.exe	SOA.exe
PID 5048 wrote to memory of 904	5048	SOA.exe	SOA.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BWhappphtUdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC0A.tmp"
2⤵
- Creates scheduled task(s)
PID:4336

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC0A.tmp
Filesize
1KB

MD5
651b9bb871e69166aaa89a438a067e5c

SHA1
c6f6b3a52d41ba94c9e8e569d1ebd725f4d13418

SHA256
a288d7bcd77f514a3dc2deb44f0a0a2b44284e794416fbaac209982ab18afad3

SHA512
9091170c30a11f419c73768e255038fbb0de604a625e7d18a91bf44e855e35f88b06c4349c457eda33b0c5ee55bda5930b2d8cd5c2e078195409b114297846da

Download Submit
memory/4336-137-0x0000000000000000-mapping.dmp

Download
memory/5048-132-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/5048-133-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/5048-134-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/5048-135-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/5048-136-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download