Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe
Resource
win7-en-20211208
General
-
Target
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe
-
Size
253KB
-
MD5
1e3df53f02b103486c1a7bfab4c8281c
-
SHA1
68954874ab932ca885cdde3a5f4102dee272fdc5
-
SHA256
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
-
SHA512
8c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 504 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsîft\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 504 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSecurityPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeTakeOwnershipPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeLoadDriverPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemProfilePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemtimePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeProfSingleProcessPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeIncBasePriorityPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeCreatePagefilePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeBackupPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeRestorePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeShutdownPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeDebugPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeSystemEnvironmentPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeChangeNotifyPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeRemoteShutdownPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeUndockPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeManageVolumePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeImpersonatePrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeCreateGlobalPrivilege 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 33 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 34 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 35 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: 36 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe Token: SeIncreaseQuotaPrivilege 504 svchost.exe Token: SeSecurityPrivilege 504 svchost.exe Token: SeTakeOwnershipPrivilege 504 svchost.exe Token: SeLoadDriverPrivilege 504 svchost.exe Token: SeSystemProfilePrivilege 504 svchost.exe Token: SeSystemtimePrivilege 504 svchost.exe Token: SeProfSingleProcessPrivilege 504 svchost.exe Token: SeIncBasePriorityPrivilege 504 svchost.exe Token: SeCreatePagefilePrivilege 504 svchost.exe Token: SeBackupPrivilege 504 svchost.exe Token: SeRestorePrivilege 504 svchost.exe Token: SeShutdownPrivilege 504 svchost.exe Token: SeDebugPrivilege 504 svchost.exe Token: SeSystemEnvironmentPrivilege 504 svchost.exe Token: SeChangeNotifyPrivilege 504 svchost.exe Token: SeRemoteShutdownPrivilege 504 svchost.exe Token: SeUndockPrivilege 504 svchost.exe Token: SeManageVolumePrivilege 504 svchost.exe Token: SeImpersonatePrivilege 504 svchost.exe Token: SeCreateGlobalPrivilege 504 svchost.exe Token: 33 504 svchost.exe Token: 34 504 svchost.exe Token: 35 504 svchost.exe Token: 36 504 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 504 svchost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.execmd.exesvchost.exedescription pid process target process PID 2780 wrote to memory of 3148 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 2780 wrote to memory of 3148 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 2780 wrote to memory of 3148 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe cmd.exe PID 3148 wrote to memory of 1020 3148 cmd.exe attrib.exe PID 3148 wrote to memory of 1020 3148 cmd.exe attrib.exe PID 3148 wrote to memory of 1020 3148 cmd.exe attrib.exe PID 2780 wrote to memory of 504 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 2780 wrote to memory of 504 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 2780 wrote to memory of 504 2780 65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe svchost.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe PID 504 wrote to memory of 1396 504 svchost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe"C:\Users\Admin\AppData\Local\Temp\65090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exeMD5
1e3df53f02b103486c1a7bfab4c8281c
SHA168954874ab932ca885cdde3a5f4102dee272fdc5
SHA25665090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
SHA5128c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
-
C:\Users\Admin\AppData\Roaming\Microsîft\svchost.exeMD5
1e3df53f02b103486c1a7bfab4c8281c
SHA168954874ab932ca885cdde3a5f4102dee272fdc5
SHA25665090baf82e20c9e32615031d3dfb12b483ba4a1a2f8a4d226cc8aae8b7762b2
SHA5128c9f119c76f8cdef31355b9db00792551f8b376f9fe029985f91c4cd519e283cfde09ac7bee7abf55c789f629da6a9022b2c4e6bd9e3d8e096db39f413134296
-
memory/504-121-0x00000000004C0000-0x000000000060A000-memory.dmpFilesize
1.3MB
-
memory/1396-122-0x00000000024C0000-0x000000000256E000-memory.dmpFilesize
696KB
-
memory/2780-118-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB