Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 17:22
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
78KB
-
MD5
c6aba0d34122d527c292e82279ad34c6
-
SHA1
5c0840af784d6af1f474f66dd22adf9c1abd9f07
-
SHA256
a8b7a1b11e3590c2d4363e3ecec57a3d7ad4be0992193a039bb105b5fe9b6500
-
SHA512
cec9ff6ba671779d92e32428ba84bac4e068c99274d45c02ec94fc260575ceacb078820e516e247754bb3637b1d6ed78e8a624ea3969aa370b65a1965e1cd5a6
-
SSDEEP
1536:lAc2OsgQW/wGJQB/4hbatuV1gD7boqMN61PQu4IgkOk8K/RABoJTGsqZ2eY7hBlZ:lrW4wGJIQco4D7bodXlIgxVK/sQqPYdR
Malware Config
Extracted
xworm
soon-lp.at.ply.gg:17209
G7BSoodIKNHsk7C8
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exemyFile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation myFile.exe -
Drops startup file 2 IoCs
Processes:
myFile.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myFile.lnk myFile.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myFile.lnk myFile.exe -
Executes dropped EXE 3 IoCs
Processes:
myFile.exemyFile.exemyFile.exepid process 4296 myFile.exe 620 myFile.exe 2304 myFile.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
myFile.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myFile = "C:\\Users\\Admin\\AppData\\Roaming\\myFile.exe" myFile.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
myFile.exemyFile.exemyFile.exedescription pid process Token: SeDebugPrivilege 4296 myFile.exe Token: SeDebugPrivilege 4296 myFile.exe Token: SeDebugPrivilege 620 myFile.exe Token: SeDebugPrivilege 2304 myFile.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exemyFile.exedescription pid process target process PID 1168 wrote to memory of 4296 1168 file.exe myFile.exe PID 1168 wrote to memory of 4296 1168 file.exe myFile.exe PID 4296 wrote to memory of 4516 4296 myFile.exe schtasks.exe PID 4296 wrote to memory of 4516 4296 myFile.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\myFile.exe"C:\Users\Admin\AppData\Local\Temp\myFile.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "myFile" /tr "C:\Users\Admin\AppData\Roaming\myFile.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\myFile.exeC:\Users\Admin\AppData\Roaming\myFile.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\myFile.exeC:\Users\Admin\AppData\Roaming\myFile.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\myFile.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Temp\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Local\Temp\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Local\Temp\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Roaming\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Roaming\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Roaming\myFile.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
memory/1168-133-0x0000000000EA0000-0x0000000000EA8000-memory.dmpFilesize
32KB
-
memory/1168-142-0x00000000058C0000-0x00000000058D0000-memory.dmpFilesize
64KB
-
memory/4296-147-0x00000000002C0000-0x00000000002D0000-memory.dmpFilesize
64KB
-
memory/4296-148-0x00000000022F0000-0x0000000002300000-memory.dmpFilesize
64KB
-
memory/4296-157-0x00000000022F0000-0x0000000002300000-memory.dmpFilesize
64KB