Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:29
Static task
static1
Behavioral task
behavioral1
Sample
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe
Resource
win7-20220812-en
General
-
Target
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe
-
Size
196KB
-
MD5
035de7c27c7be916b5f3320e895c61ac
-
SHA1
84159edae207759230fdc0ffebc46a54acf73e98
-
SHA256
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2
-
SHA512
aea1b617fd2441eb73ada7fcd2b75255bb6b764837d6adf962adbe460a5060a19a3d0c98ce819b2711720bf9dc9c4c9cd67d88f81727d5ecec64be3bd40a3560
-
SSDEEP
6144:bzWJFc3d3B6Nt53jrSrKZLehQS/xvlZ6/:663B6Nt53n6Q4Vg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
OBS.exepid process 316 OBS.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4648 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exepid process 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exeOBS.exedescription pid process Token: SeDebugPrivilege 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe Token: SeDebugPrivilege 316 OBS.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.execmd.execmd.exedescription pid process target process PID 704 wrote to memory of 4968 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 704 wrote to memory of 4968 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 704 wrote to memory of 4968 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 704 wrote to memory of 4644 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 704 wrote to memory of 4644 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 704 wrote to memory of 4644 704 26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe cmd.exe PID 4968 wrote to memory of 1288 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 1288 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 1288 4968 cmd.exe schtasks.exe PID 4644 wrote to memory of 4648 4644 cmd.exe timeout.exe PID 4644 wrote to memory of 4648 4644 cmd.exe timeout.exe PID 4644 wrote to memory of 4648 4644 cmd.exe timeout.exe PID 4644 wrote to memory of 316 4644 cmd.exe OBS.exe PID 4644 wrote to memory of 316 4644 cmd.exe OBS.exe PID 4644 wrote to memory of 316 4644 cmd.exe OBS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe"C:\Users\Admin\AppData\Local\Temp\26e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OBS" /tr '"C:\Users\Admin\AppData\Roaming\OBS.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "OBS" /tr '"C:\Users\Admin\AppData\Roaming\OBS.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CA0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\OBS.exe"C:\Users\Admin\AppData\Roaming\OBS.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1CA0.tmp.batFilesize
147B
MD5e09bb3b268576aae84f10a8f73beaf4d
SHA186a30812894e10a822cbf9b2842c5c22668b7a0b
SHA256c3e04c51512a5da1cc3d439a466eff65a1739b28ead860aafb7a43a19e0bd4c2
SHA512e4ef613692f1217477acd7d0a522e81c93e9da8b18ab73f1ccd459dd2802423c3ea4e86a8372248e8a2cd01e19973a60ffb3dd9881c71d729fbfc825111e8ec1
-
C:\Users\Admin\AppData\Roaming\OBS.exeFilesize
196KB
MD5035de7c27c7be916b5f3320e895c61ac
SHA184159edae207759230fdc0ffebc46a54acf73e98
SHA25626e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2
SHA512aea1b617fd2441eb73ada7fcd2b75255bb6b764837d6adf962adbe460a5060a19a3d0c98ce819b2711720bf9dc9c4c9cd67d88f81727d5ecec64be3bd40a3560
-
C:\Users\Admin\AppData\Roaming\OBS.exeFilesize
196KB
MD5035de7c27c7be916b5f3320e895c61ac
SHA184159edae207759230fdc0ffebc46a54acf73e98
SHA25626e657df0e518cad1107765e55ffa3af3dd71a3c70b07ce69c31f7ebaaa145b2
SHA512aea1b617fd2441eb73ada7fcd2b75255bb6b764837d6adf962adbe460a5060a19a3d0c98ce819b2711720bf9dc9c4c9cd67d88f81727d5ecec64be3bd40a3560
-
memory/316-139-0x0000000000000000-mapping.dmp
-
memory/704-132-0x0000000000600000-0x0000000000608000-memory.dmpFilesize
32KB
-
memory/704-133-0x0000000004F60000-0x0000000004FFC000-memory.dmpFilesize
624KB
-
memory/1288-136-0x0000000000000000-mapping.dmp
-
memory/4644-135-0x0000000000000000-mapping.dmp
-
memory/4648-138-0x0000000000000000-mapping.dmp
-
memory/4968-134-0x0000000000000000-mapping.dmp