a1082d01ede1f5fa700be2420ec96047a699d0579c15ddb2f54233a24ac3a7e9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Size

352KB
MD5

4f88b5e510ecbd0adefdfc87c552289c
SHA1

047ec67b8e3c001086284d7176b2d239db565fb5
SHA256

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
SHA512

75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
SSDEEP

6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ

Score

9^/10

persistence ransomware

Malware Config

Signatures

Renames multiple (112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe

Executes dropped EXE 1 IoCs

Processes:

dwa01.exe

pid process

3044 dwa01.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exedwa01.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{67B97992-033F-589A-AA66-FFC16ECB2C0C} = "C:\\Users\\Admin\\AppData\\Roaming\\dwa01.exe"	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{67B97992-033F-589A-AA66-FFC16ECB2C0C} = "notepad.exe \"C:\\Users\\Admin\\RECOVER-FILES.HTML\""	dwa01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dwa01.exe

pid	process
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe
3044	dwa01.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exedwa01.execmd.exe

description	pid	process	target process
PID 3276 wrote to memory of 3044	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	dwa01.exe
PID 3276 wrote to memory of 3044	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	dwa01.exe
PID 3276 wrote to memory of 3044	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	dwa01.exe
PID 3276 wrote to memory of 5108	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	cmd.exe
PID 3276 wrote to memory of 5108	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	cmd.exe
PID 3276 wrote to memory of 5108	3276	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	cmd.exe
PID 3044 wrote to memory of 3948	3044	dwa01.exe	backgroundTaskHost.exe
PID 3044 wrote to memory of 3948	3044	dwa01.exe	backgroundTaskHost.exe
PID 3044 wrote to memory of 3948	3044	dwa01.exe	backgroundTaskHost.exe
PID 3044 wrote to memory of 3952	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 3952	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 3952	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 1540	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 1540	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 1540	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 3180	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 3180	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 3180	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 2676	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 2676	3044	dwa01.exe	cmd.exe
PID 3044 wrote to memory of 2676	3044	dwa01.exe	cmd.exe
PID 3180 wrote to memory of 1128	3180	cmd.exe	notepad.exe
PID 3180 wrote to memory of 1128	3180	cmd.exe	notepad.exe
PID 3180 wrote to memory of 1128	3180	cmd.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
"C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{2D4BCDCF-589F-ED5E-4060-88C006CBEA8D}.bat
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Roaming\dwa01.exe
  "C:\Users\Admin\AppData\Roaming\dwa01.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{33500832-EEB9-80C9-9217-799B251D1D98}.bat
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180

C:\Windows\SysWOW64\notepad.exe
notepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"
1⤵
PID:1128

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dwa01.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3044-33-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/3044-34-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/3044-30-0x0000000002330000-0x0000000002399000-memory.dmp

Filesize
420KB

Download
memory/3044-612-0x0000000003EF0000-0x0000000003F20000-memory.dmp

Filesize
192KB

Download
memory/3044-31-0x0000000002330000-0x0000000002399000-memory.dmp

Filesize
420KB

Download
memory/3044-607-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/3044-35-0x0000000003EF0000-0x0000000003F20000-memory.dmp

Filesize
192KB

Download
memory/3044-32-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/3044-44-0x0000000003EF0000-0x0000000003F20000-memory.dmp

Filesize
192KB

Download
memory/3276-6-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/3276-1-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/3276-0-0x0000000002320000-0x0000000002389000-memory.dmp

Filesize
420KB

Download
memory/3276-5-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/3276-4-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/3276-7-0x0000000003F10000-0x0000000003F40000-memory.dmp

Filesize
192KB

Download
memory/3276-2-0x0000000002320000-0x0000000002389000-memory.dmp

Filesize
420KB

Download
memory/3276-3-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download