Analysis
-
max time kernel
158s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
105a7f1e9f623633f1b1439cf15f58be.exe
Resource
win7-en-20211208
General
-
Target
105a7f1e9f623633f1b1439cf15f58be.exe
-
Size
5.7MB
-
MD5
105a7f1e9f623633f1b1439cf15f58be
-
SHA1
0fba1e00864607102f82c7e2cdc14856851da104
-
SHA256
4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
-
SHA512
fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
services.exesihost64.exepid process 1808 services.exe 3524 sihost64.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 105a7f1e9f623633f1b1439cf15f58be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 105a7f1e9f623633f1b1439cf15f58be.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
services.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation services.exe -
Processes:
resource yara_rule behavioral2/memory/2452-130-0x0000000000400000-0x0000000000F42000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida behavioral2/memory/1808-137-0x0000000000400000-0x0000000000F42000-memory.dmp themida -
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 105a7f1e9f623633f1b1439cf15f58be.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exepid process 2452 105a7f1e9f623633f1b1439cf15f58be.exe 1808 services.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013099" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887261874769781" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.692527" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3880" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exepid process 2452 105a7f1e9f623633f1b1439cf15f58be.exe 1808 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exedescription pid process Token: SeDebugPrivilege 2452 105a7f1e9f623633f1b1439cf15f58be.exe Token: SeDebugPrivilege 1808 services.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.execmd.execmd.exeservices.exesihost64.exedescription pid process target process PID 2452 wrote to memory of 3804 2452 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2452 wrote to memory of 3804 2452 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 3804 wrote to memory of 2756 3804 cmd.exe schtasks.exe PID 3804 wrote to memory of 2756 3804 cmd.exe schtasks.exe PID 2452 wrote to memory of 1916 2452 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2452 wrote to memory of 1916 2452 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 1916 wrote to memory of 1808 1916 cmd.exe services.exe PID 1916 wrote to memory of 1808 1916 cmd.exe services.exe PID 1808 wrote to memory of 3524 1808 services.exe sihost64.exe PID 1808 wrote to memory of 3524 1808 services.exe sihost64.exe PID 3524 wrote to memory of 216 3524 sihost64.exe conhost.exe PID 3524 wrote to memory of 216 3524 sihost64.exe conhost.exe PID 3524 wrote to memory of 216 3524 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeC:\Users\Admin\AppData\Roaming\Microsoft\services.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "qcorbjem"5⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
30c8c4ca447fd860622f594a174fef77
SHA131393d1438a8df8a7ae1e999302bbb1a37bcaeff
SHA256b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595
SHA512d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
30c8c4ca447fd860622f594a174fef77
SHA131393d1438a8df8a7ae1e999302bbb1a37bcaeff
SHA256b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595
SHA512d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
105a7f1e9f623633f1b1439cf15f58be
SHA10fba1e00864607102f82c7e2cdc14856851da104
SHA2564c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
105a7f1e9f623633f1b1439cf15f58be
SHA10fba1e00864607102f82c7e2cdc14856851da104
SHA2564c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
-
memory/216-142-0x0000012F87A20000-0x0000012F87A26000-memory.dmpFilesize
24KB
-
memory/216-148-0x0000012F894C3000-0x0000012F894C5000-memory.dmpFilesize
8KB
-
memory/216-147-0x0000012F894C0000-0x0000012F894C2000-memory.dmpFilesize
8KB
-
memory/216-149-0x0000012F894C6000-0x0000012F894C7000-memory.dmpFilesize
4KB
-
memory/1808-137-0x0000000000400000-0x0000000000F42000-memory.dmpFilesize
11.3MB
-
memory/2452-134-0x000000001CDB6000-0x000000001CDB7000-memory.dmpFilesize
4KB
-
memory/2452-133-0x000000001CDB3000-0x000000001CDB5000-memory.dmpFilesize
8KB
-
memory/2452-130-0x0000000000400000-0x0000000000F42000-memory.dmpFilesize
11.3MB
-
memory/2452-132-0x000000001CDB0000-0x000000001CDB2000-memory.dmpFilesize
8KB
-
memory/2452-131-0x0000000003000000-0x00000000031F4000-memory.dmpFilesize
2.0MB