Analysis
-
max time kernel
54s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 03:54
Static task
static1
Behavioral task
behavioral1
Sample
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
Resource
win10v2004-en-20220113
General
-
Target
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
-
Size
171KB
-
MD5
567407d941d99abeff20a1b836570d30
-
SHA1
e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b
-
SHA256
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510
-
SHA512
514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exepid process 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exedescription pid process Token: SeDebugPrivilege 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.execmd.exedescription pid process target process PID 2444 wrote to memory of 2280 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 2444 wrote to memory of 2280 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 2444 wrote to memory of 2316 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe sihost.exe PID 2280 wrote to memory of 3000 2280 cmd.exe reg.exe PID 2280 wrote to memory of 3000 2280 cmd.exe reg.exe PID 2444 wrote to memory of 2332 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe svchost.exe PID 2444 wrote to memory of 2472 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe taskhostw.exe PID 2444 wrote to memory of 2624 2444 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f3⤵