Overview

overview

10

Static

static

0563e8dd01...80.exe

windows7_x64

10

0563e8dd01...80.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    41s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280.exe

  • Size

    154KB

  • MD5

    85dc3c9daa960c110dabe7d6f1f242e0

  • SHA1

    88b1879ca52863a5acba40e4a895cae96dff2764

  • SHA256

    0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280

  • SHA512

    19f87a621c305a85b2aebe6f09ae39e74fe4f0d7d1ac63aef33d3eb87c6a283c01870b23f69ba41788a95dfd117db6adc9e1ac0def2570b5615cef3b1fc2c6c7

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2340
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:2304
      • C:\Users\Admin\AppData\Local\Temp\0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280.exe
        "C:\Users\Admin\AppData\Local\Temp\0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280.exe"
        1⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280.exe" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\system32\reg.exe
            REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0563e8dd01ea8d2cae1c397ccc2b7f631e0e71b901a78cb120b9cbe746a03280.exe" /f
            3⤵
            • Adds Run key to start application
            PID:3096

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2304-130-0x00007FF6EEDE0000-0x00007FF6EF169000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2340-131-0x00007FF6EEDE0000-0x00007FF6EF169000-memory.dmp

        Filesize

        3.5MB

        Download