Analysis
-
max time kernel
497s -
max time network
500s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2023 04:43
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
2.0MB
-
MD5
a83d528c3debe4486cc91b5922040711
-
SHA1
765d88a6a2ac079c0a7a7ac23dc630b82095339b
-
SHA256
446deb48d5641c4977a2cdf9eb3722cbd4170a2eebd2d8c6fca1430767af04ad
-
SHA512
a8c3e4b182882e79a6b74f6d9cd6514d268b1703ff76c8e07dfb4944a7ed83051a8816b40b9a2c9927cdd73a09a932a0c2d9ea83a8007bd400d289c35b4e433f
-
SSDEEP
24576:Nwksz4Fw2f16CwIUEirFZTUvIweQ3qRbYl6DLJMv4oVI1ZwF33z5hG4vkXZurFJ:4bCwIUE2jvdQ3mb1ZGvVkZ+3lfgy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 1952 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2652 powershell.exe 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exepowershell.exedescription pid process Token: SeDebugPrivilege 1952 file.exe Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
file.exepid process 1952 file.exe 1952 file.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
file.exedescription pid process target process PID 1952 wrote to memory of 2652 1952 file.exe powershell.exe PID 1952 wrote to memory of 2652 1952 file.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\517ed413-7642-48b7-a7f7-416d48d677d4\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/1952-132-0x0000000000BC0000-0x0000000000DD0000-memory.dmpFilesize
2.1MB
-
memory/1952-134-0x00007FF98E6A0000-0x00007FF98E7EE000-memory.dmpFilesize
1.3MB
-
memory/1952-135-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmpFilesize
10.8MB
-
memory/1952-140-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmpFilesize
10.8MB
-
memory/2652-136-0x0000000000000000-mapping.dmp
-
memory/2652-137-0x000001E82FF80000-0x000001E82FFA2000-memory.dmpFilesize
136KB
-
memory/2652-138-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmpFilesize
10.8MB
-
memory/2652-139-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmpFilesize
10.8MB