Analysis
-
max time kernel
163s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
07/02/2022, 02:48
Behavioral task
behavioral1
Sample
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
Resource
win10v2004-en-20220112
General
-
Target
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe
-
Size
1.2MB
-
MD5
55d3bf6845cb75b495704d3d3be3e406
-
SHA1
1e078c1e5937db4ebec4a24d75dd777ad4e175ff
-
SHA256
405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0
-
SHA512
c904b9016fe932e0a4187467279cfa28cf4daa719674ff63d568bff706faac8d520fcb283d2d26eba2a83ded61119e32284a2aafc1872f1bbe4db07809170a1e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1856 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\KeepVid 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\__tmp_rar_sfx_access_check_30246890 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\KeepVidPro.exe 2.exe File created C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe File opened for modification C:\Program Files\KeepVid\KeepVid Pro\CBSProductClient.dll 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.465271" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132888523646971168" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3708" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013186" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3896" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3812 wrote to memory of 1044 3812 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 55 PID 3812 wrote to memory of 1044 3812 405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe 55 PID 1044 wrote to memory of 1856 1044 cmd.exe 57 PID 1044 wrote to memory of 1856 1044 cmd.exe 57 PID 1044 wrote to memory of 1856 1044 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70C8.tmp\70C9.bat C:\Users\Admin\AppData\Local\Temp\405343165def156d050d2d628512eb58db4c6c837d43cb8290811a8dbc8d78f0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\70C8.tmp\2.exe2.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1856
-
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:3220