Analysis
-
max time kernel
33s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
Resource
win10v2004-en-20220113
General
-
Target
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
-
Size
202KB
-
MD5
c49c19e172c2c6f8390bd26258557b18
-
SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a
-
SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
-
SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
KuMihCH.exepid process 4204 KuMihCH.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exepid process 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exedescription pid process Token: SeDebugPrivilege 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exenet.exenet.exedescription pid process target process PID 2700 wrote to memory of 4204 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe KuMihCH.exe PID 2700 wrote to memory of 4204 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe KuMihCH.exe PID 2700 wrote to memory of 2396 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe sihost.exe PID 2700 wrote to memory of 3816 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe net.exe PID 2700 wrote to memory of 3816 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe net.exe PID 2700 wrote to memory of 1608 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe net.exe PID 2700 wrote to memory of 1608 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe net.exe PID 3816 wrote to memory of 1320 3816 net.exe net1.exe PID 3816 wrote to memory of 1320 3816 net.exe net1.exe PID 2700 wrote to memory of 2424 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe svchost.exe PID 1608 wrote to memory of 2364 1608 net.exe net1.exe PID 1608 wrote to memory of 2364 1608 net.exe net1.exe PID 2700 wrote to memory of 2508 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe taskhostw.exe PID 2700 wrote to memory of 3104 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe"C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exeMD5
c49c19e172c2c6f8390bd26258557b18
SHA1641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA25673dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc
-
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exeMD5
c49c19e172c2c6f8390bd26258557b18
SHA1641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA25673dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc
-
memory/2396-132-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmpFilesize
1.5MB
-
memory/2424-133-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmpFilesize
1.5MB