Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2023 14:41
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
755KB
-
MD5
0af3484ed04ac95e8a84d3b06c4180c0
-
SHA1
15943666568f09c0751b027a42413851df2c6932
-
SHA256
5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
-
SHA512
c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
-
SSDEEP
12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
mA3iz.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts mA3iz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mA3iz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation mA3iz.exe -
Executes dropped EXE 3 IoCs
Processes:
file.tmpmA3iz.exeSHishasinuty.exepid process 2364 file.tmp 2984 mA3iz.exe 1312 SHishasinuty.exe -
Loads dropped DLL 1 IoCs
Processes:
file.tmppid process 2364 file.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mA3iz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\SHishasinuty.exe\"" mA3iz.exe -
Drops file in Program Files directory 3 IoCs
Processes:
mA3iz.exedescription ioc process File created C:\Program Files\Windows NT\LLJWKNSQGW\poweroff.exe mA3iz.exe File created C:\Program Files (x86)\Windows NT\SHishasinuty.exe mA3iz.exe File created C:\Program Files (x86)\Windows NT\SHishasinuty.exe.config mA3iz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mA3iz.exedescription pid process Token: SeDebugPrivilege 2984 mA3iz.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
file.exefile.tmpmA3iz.exedescription pid process target process PID 2380 wrote to memory of 2364 2380 file.exe file.tmp PID 2380 wrote to memory of 2364 2380 file.exe file.tmp PID 2380 wrote to memory of 2364 2380 file.exe file.tmp PID 2364 wrote to memory of 2984 2364 file.tmp mA3iz.exe PID 2364 wrote to memory of 2984 2364 file.tmp mA3iz.exe PID 2984 wrote to memory of 1312 2984 mA3iz.exe SHishasinuty.exe PID 2984 wrote to memory of 1312 2984 mA3iz.exe SHishasinuty.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\is-SMCPJ.tmp\file.tmp"C:\Users\Admin\AppData\Local\Temp\is-SMCPJ.tmp\file.tmp" /SL5="$F0040,506127,422400,C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\is-AEUD6.tmp\mA3iz.exe"C:\Users\Admin\AppData\Local\Temp\is-AEUD6.tmp\mA3iz.exe" /S /UID=flabs23⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\64-65905-617-f9a80-de279e187db47\SHishasinuty.exe"C:\Users\Admin\AppData\Local\Temp\64-65905-617-f9a80-de279e187db47\SHishasinuty.exe"4⤵
- Executes dropped EXE
PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499KB
MD5f32b8def722876287f9424f3f3c41d2e
SHA11f4d70acbafd6ca395baea692300dc26bbc6319a
SHA2562ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3
-
Filesize
499KB
MD5f32b8def722876287f9424f3f3c41d2e
SHA11f4d70acbafd6ca395baea692300dc26bbc6319a
SHA2562ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3
-
Filesize
499KB
MD5f32b8def722876287f9424f3f3c41d2e
SHA11f4d70acbafd6ca395baea692300dc26bbc6319a
SHA2562ccb90a9fa5b043283533a40fe2e91c7618c5957625ce4328da1746b7bb6a434
SHA512f9a821ffab281411fe2b2f8b34842ceb0d5400d699162c6e8fe69af6a5044d5328b18d91f07636b8c6d7e0e8eda181778d0dd1fb86837e26563140ef332d49e3
-
Filesize
1KB
MD598d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
Filesize
51KB
MD5706e2a45851cf828fb00a0728a19b6ad
SHA1257a3528ada521c54d710866108a7b28ee057d82
SHA256e23ae43e76b7ecea87e612436d5880d901e28dd223290563f2db21b2f615f60d
SHA51263520654c79dcb239a2d82a1930d23ba3319ac681851c355079c4fbb0ca381900b25ac2a615d577e39b866cb506fe032c56994a5d94f5f98097b96804da109f3
-
Filesize
216KB
MD58f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
Filesize
573KB
MD54de7538747bf36f826099aceed872175
SHA1a5bc0deeff3e816b896c06961fa03c646122a11f
SHA256803b4fc6bc93a0bb84716cdf5ef8649f7ec9da9821d60bb093a08609d480943d
SHA5120cf8fc887a65dc620fd3fc4acf0bdfaf3aa8fb1f710c8898620437880128490f98633824d174383876e4f83a4f42be1a581c62d7ca25d63db30c9a00650cca5c
-
Filesize
573KB
MD54de7538747bf36f826099aceed872175
SHA1a5bc0deeff3e816b896c06961fa03c646122a11f
SHA256803b4fc6bc93a0bb84716cdf5ef8649f7ec9da9821d60bb093a08609d480943d
SHA5120cf8fc887a65dc620fd3fc4acf0bdfaf3aa8fb1f710c8898620437880128490f98633824d174383876e4f83a4f42be1a581c62d7ca25d63db30c9a00650cca5c
-
Filesize
1.0MB
MD56e8d8cabf1efb3f98adba1eed48e5a1e
SHA16ca75501f3eb4753afe1810ba761588021bd68c9
SHA2568db82765fa0993c181346d9182d013271b7326e4c8415ce1e97bf606cd6474f6
SHA512e3bb3029a9b50cfa18dc616aa2e04b7d0537efdedeb83ee40e976f5089e3e76b844c1e7e85d867f6c925ef8d8ed79de60a4ea7de5ee6127a52c6f7bbfcb7690f