Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 18:02
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
5.2MB
-
MD5
b7b3d9c39854372b2b4eca4213bab256
-
SHA1
533e7a9997de8e5fed702e623dc5d0c41df2d461
-
SHA256
b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
-
SHA512
59af5cc6130efa6f3276096ccb7de913e797f4a15e9d6f3292c533dda41b21c91eaed52fa73fc234258dd9f062997af005ed9a4ff51008539fc61cc5f1a42e73
-
SSDEEP
98304:Z6F6wSNExkQZSfmaoJhLgV+YR4mGurdGn0fdY6ka4uJ5eMFMnzvaJxxBANw:Z6KI5Z5cR4uE0lR4+55FMzvgDmw
Malware Config
Extracted
amadey
3.66
5.75.139.35/so57Nst/index.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
nbveek.exepid process 2516 nbveek.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
tmp.exenbveek.exepid process 4892 tmp.exe 4892 tmp.exe 2516 nbveek.exe 2516 nbveek.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
tmp.exenbveek.exepid process 4892 tmp.exe 4892 tmp.exe 4892 tmp.exe 4892 tmp.exe 4892 tmp.exe 4892 tmp.exe 2516 nbveek.exe 2516 nbveek.exe 2516 nbveek.exe 2516 nbveek.exe 2516 nbveek.exe 2516 nbveek.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
tmp.exedescription pid process target process PID 4892 wrote to memory of 2516 4892 tmp.exe nbveek.exe PID 4892 wrote to memory of 2516 4892 tmp.exe nbveek.exe PID 4892 wrote to memory of 2516 4892 tmp.exe nbveek.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2b4a0f2f6\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\a2b4a0f2f6\nbveek.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a2b4a0f2f6\nbveek.exeFilesize
5.2MB
MD5b7b3d9c39854372b2b4eca4213bab256
SHA1533e7a9997de8e5fed702e623dc5d0c41df2d461
SHA256b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
SHA51259af5cc6130efa6f3276096ccb7de913e797f4a15e9d6f3292c533dda41b21c91eaed52fa73fc234258dd9f062997af005ed9a4ff51008539fc61cc5f1a42e73
-
memory/2516-142-0x0000000000000000-mapping.dmp
-
memory/2516-145-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB
-
memory/2516-146-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB
-
memory/2516-150-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB
-
memory/4892-132-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB
-
memory/4892-136-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB
-
memory/4892-137-0x00000000012F0000-0x0000000001331000-memory.dmpFilesize
260KB
-
memory/4892-144-0x0000000000400000-0x0000000000C7A000-memory.dmpFilesize
8.5MB