Overview

overview

10

Static

static

0c51ca0477...1e.exe

windows7_x64

10

0c51ca0477...1e.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    35s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe

  • Size

    386KB

  • MD5

    7bd387176c3b768d4c4c5522072f3753

  • SHA1

    0ec05c75a232a16babe9e7d77d1f9165afb1aac4

  • SHA256

    0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e

  • SHA512

    dd9584273adbbbf9f6c8d951bb00b2930a89dd3db2cacdf8f24c7ce57b31e62469da62219c8fc0d3b366add12b3ca32b82a3e74e1463293b1159fd188da46024

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2688
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2408
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2360
        • C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe
          "C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe"
          1⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\users\Public\lJBNe.exe
            "C:\users\Public\lJBNe.exe" C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe
            2⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lJBNe.exe" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Windows\system32\reg.exe
                REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lJBNe.exe" /f
                4⤵
                • Adds Run key to start application
                PID:4824

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2360-132-0x00007FF79CD00000-0x00007FF79D08E000-memory.dmp

          Filesize

          3.6MB

          Download