Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 17:42
Static task
static1
Behavioral task
behavioral1
Sample
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
Resource
win7-20220812-en
General
-
Target
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
-
Size
286KB
-
MD5
2ea0561bb3cdae9cf682703de2933a43
-
SHA1
827696cf98926dea8bfde038de228b7778d0ff56
-
SHA256
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e
-
SHA512
e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb
-
SSDEEP
6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W
Malware Config
Extracted
gootkit
6546
servicemanager.icu
partnerservice.xyz
-
vendor_id
6546
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4848 wrote to memory of 3320 4848 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 81 PID 4848 wrote to memory of 3320 4848 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 81 PID 4848 wrote to memory of 3320 4848 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 81 PID 3320 wrote to memory of 540 3320 cmd.exe 83 PID 3320 wrote to memory of 540 3320 cmd.exe 83 PID 3320 wrote to memory of 540 3320 cmd.exe 83 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 540 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240563765.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"3⤵
- Views/modifies file attributes
PID:540
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD520b700c306f996b9811d9318d99801e9
SHA16b847779cfd2f1176ec20b6a75b1c85ca867ea4f
SHA256d18c82b8b6bec1e035837083748193d4eb07a76e4c8f19684087fc812336ac9f
SHA512b49383cbd3e324e1ab3b5b1aadd5daadc7d9bfc7ea5fc7176b58b5baaf7777687f43072ea510fee5f4dcd427d0e2768a92a229d3e933c91f37bcc00b1a55efb1