Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe
Resource
win10v2004-20220901-en
General
-
Target
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe
-
Size
5KB
-
MD5
2bffa215e8de32a499e70c7e8d2d2f49
-
SHA1
b47e57184812b3c4f95a43be34fd5970d65ba699
-
SHA256
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882
-
SHA512
850480028421d66a8dafb1b80a4963a286a0c08d782fece10bd9b721b02b8726fb8ba98c0d58123b0fbea416fbad206aa4724ad50c7e94edeb3c7ce32eece420
-
SSDEEP
48:68gsUyDFyChIYOwAFJ83LczguuGRFx955qBHLDAXulMDFHqXSfbNtm:mQyUOa3LMgQHx9Dkr1aDF5zNt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
process.exepid process 1536 process.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
process.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8e219248151eaf80194d2dc1b8a5945 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\process.exe\" .." process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a8e219248151eaf80194d2dc1b8a5945 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\process.exe\" .." process.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
process.exepid process 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe 1536 process.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exeprocess.exedescription pid process Token: SeDebugPrivilege 3704 1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe Token: SeDebugPrivilege 1536 process.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exeprocess.exedescription pid process target process PID 3704 wrote to memory of 1536 3704 1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe process.exe PID 3704 wrote to memory of 1536 3704 1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe process.exe PID 3704 wrote to memory of 1536 3704 1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe process.exe PID 1536 wrote to memory of 3304 1536 process.exe netsh.exe PID 1536 wrote to memory of 3304 1536 process.exe netsh.exe PID 1536 wrote to memory of 3304 1536 process.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe"C:\Users\Admin\AppData\Local\Temp\1d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\process.exe"C:\Users\Admin\AppData\Local\Temp\process.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\process.exe" "process.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\process.exeFilesize
5KB
MD52bffa215e8de32a499e70c7e8d2d2f49
SHA1b47e57184812b3c4f95a43be34fd5970d65ba699
SHA2561d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882
SHA512850480028421d66a8dafb1b80a4963a286a0c08d782fece10bd9b721b02b8726fb8ba98c0d58123b0fbea416fbad206aa4724ad50c7e94edeb3c7ce32eece420
-
C:\Users\Admin\AppData\Local\Temp\process.exeFilesize
5KB
MD52bffa215e8de32a499e70c7e8d2d2f49
SHA1b47e57184812b3c4f95a43be34fd5970d65ba699
SHA2561d6283a87158b72765a2ee1ad98f4fcfc66f3f00a689142bbb282d47965f9882
SHA512850480028421d66a8dafb1b80a4963a286a0c08d782fece10bd9b721b02b8726fb8ba98c0d58123b0fbea416fbad206aa4724ad50c7e94edeb3c7ce32eece420
-
memory/1536-135-0x0000000000000000-mapping.dmp
-
memory/1536-139-0x0000000005A70000-0x0000000005B02000-memory.dmpFilesize
584KB
-
memory/1536-140-0x0000000005A40000-0x0000000005A4A000-memory.dmpFilesize
40KB
-
memory/3304-138-0x0000000000000000-mapping.dmp
-
memory/3704-132-0x00000000005B0000-0x00000000005B8000-memory.dmpFilesize
32KB
-
memory/3704-133-0x0000000004F00000-0x0000000004F9C000-memory.dmpFilesize
624KB
-
memory/3704-134-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB