Analysis
-
max time kernel
4265089s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-01-2022 03:14
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
svchost.exe
-
Size
213KB
-
MD5
39f34aa65e3a95a53f3ec0675fc37905
-
SHA1
b8206089a3841464c72ee695951854dfe08a82cd
-
SHA256
8e7393013f240334efe2ca52c8a3554628c479becab2b691d114e1e8b3ccd51d
-
SHA512
7c45d8ba6f080cccaaa3c663d44a796c077f786f48cd392bcb9fa7e60d3b424aa90ecb1ed3c1c810b1607610db42a59eb0a9cc452579e454ca6443b2b249b2cb
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 11460 created 1812 11460 WerFault.exe 52 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 11500 1812 WerFault.exe 52 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1812 svchost.exe 1812 svchost.exe 11500 WerFault.exe 11500 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 1768 MusNotification.exe Token: SeCreatePagefilePrivilege 1768 MusNotification.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: 36 216 WMIC.exe Token: SeBackupPrivilege 2964 vssvc.exe Token: SeRestorePrivilege 2964 vssvc.exe Token: SeAuditPrivilege 2964 vssvc.exe Token: SeRestorePrivilege 11500 WerFault.exe Token: SeBackupPrivilege 11500 WerFault.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1812 wrote to memory of 3996 1812 svchost.exe 60 PID 1812 wrote to memory of 3996 1812 svchost.exe 60 PID 1812 wrote to memory of 3996 1812 svchost.exe 60 PID 1812 wrote to memory of 924 1812 svchost.exe 62 PID 1812 wrote to memory of 924 1812 svchost.exe 62 PID 1812 wrote to memory of 924 1812 svchost.exe 62 PID 1812 wrote to memory of 1492 1812 svchost.exe 64 PID 1812 wrote to memory of 1492 1812 svchost.exe 64 PID 1812 wrote to memory of 1492 1812 svchost.exe 64 PID 1812 wrote to memory of 3180 1812 svchost.exe 66 PID 1812 wrote to memory of 3180 1812 svchost.exe 66 PID 1812 wrote to memory of 3180 1812 svchost.exe 66 PID 1812 wrote to memory of 3476 1812 svchost.exe 68 PID 1812 wrote to memory of 3476 1812 svchost.exe 68 PID 1812 wrote to memory of 3476 1812 svchost.exe 68 PID 1812 wrote to memory of 2800 1812 svchost.exe 70 PID 1812 wrote to memory of 2800 1812 svchost.exe 70 PID 1812 wrote to memory of 2800 1812 svchost.exe 70 PID 3180 wrote to memory of 216 3180 cmd.exe 72 PID 3180 wrote to memory of 216 3180 cmd.exe 72 PID 3180 wrote to memory of 216 3180 cmd.exe 72 PID 11460 wrote to memory of 1812 11460 WerFault.exe 52 PID 11460 wrote to memory of 1812 11460 WerFault.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵PID:3996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:1492
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:2800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 12202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:11500
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1812 -ip 18121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:11460