Analysis
-
max time kernel
11s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06/02/2022, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
Resource
win10v2004-en-20220113
General
-
Target
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
-
Size
7.6MB
-
MD5
f7baa2694e3c882123dfc6cb891c2786
-
SHA1
25868a92ec1a4898c28c9fe79aae4be6926750d6
-
SHA256
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764
-
SHA512
c79283afb478c4ddd10fcc6afd4f76451ce60b182a01964d8f683907c1080fdc19bdaffa51248464670efbe7b8762ec0f9b74413c2239127d5972549bec4f2d6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1956 file.exe 3344 Setup.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 1 IoCs
pid Process 3344 Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd file.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1472 PING.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1956 file.exe 3344 Setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3532 wrote to memory of 1956 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 82 PID 3532 wrote to memory of 1956 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 82 PID 3532 wrote to memory of 1956 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 82 PID 1956 wrote to memory of 3244 1956 file.exe 89 PID 1956 wrote to memory of 3244 1956 file.exe 89 PID 1956 wrote to memory of 3244 1956 file.exe 89 PID 3532 wrote to memory of 3344 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 91 PID 3532 wrote to memory of 3344 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 91 PID 3532 wrote to memory of 3344 3532 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 91 PID 3244 wrote to memory of 1472 3244 cmd.exe 93 PID 3244 wrote to memory of 1472 3244 cmd.exe 93 PID 3244 wrote to memory of 1472 3244 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL3⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3344
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280