Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07/02/2022, 02:43
Behavioral task
behavioral1
Sample
44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe
Resource
win10v2004-en-20220113
General
-
Target
44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe
-
Size
1.2MB
-
MD5
a0faa0ad11e26562d7c6440eadf5e890
-
SHA1
1f516e4d33cb30292042f0cb12c4cb6019d3c7ba
-
SHA256
44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2
-
SHA512
ab19f795083a64c1893f11cbb306f2aadca725b521dc89577692d783b57a19ad242c4a751509acb4a638eb720b4a38ef91f7ba17b509b8c6972302e019c6ea9c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2884 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\KeepVid\KeepVid Pro 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\__tmp_rar_sfx_access_check_30264890 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid 2.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1112 svchost.exe Token: SeCreatePagefilePrivilege 1112 svchost.exe Token: SeShutdownPrivilege 1112 svchost.exe Token: SeCreatePagefilePrivilege 1112 svchost.exe Token: SeShutdownPrivilege 1112 svchost.exe Token: SeCreatePagefilePrivilege 1112 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3924 wrote to memory of 1176 3924 44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe 81 PID 3924 wrote to memory of 1176 3924 44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe 81 PID 1176 wrote to memory of 2884 1176 cmd.exe 86 PID 1176 wrote to memory of 2884 1176 cmd.exe 86 PID 1176 wrote to memory of 2884 1176 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe"C:\Users\Admin\AppData\Local\Temp\44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9596.tmp\9597.bat C:\Users\Admin\AppData\Local\Temp\44e34dcb6bbd98f6bb1a254909c532183c7a5cb75f2e4d0b9e916e3ef6c24df2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\9596.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1112