Analysis
-
max time kernel
44s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe
Resource
win10v2004-en-20220113
General
-
Target
6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe
-
Size
170KB
-
MD5
301b5d87092b4fc13dd4b05bff39ca9c
-
SHA1
4b8a77b3d993a0be86fe1d8aa4fdb8c15ae05ab9
-
SHA256
6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d
-
SHA512
1c508c1ccf4f3bb0cd0d9dba2af02612f4528b6d056c84f50bed65de3448f0b191bae3db953973bc75881f0805b6c3655d75b24b8e2775d096ddd115f234bfac
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1228 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 84 PID 2024 wrote to memory of 1228 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 84 PID 2024 wrote to memory of 2344 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 37 PID 1228 wrote to memory of 1380 1228 cmd.exe 86 PID 1228 wrote to memory of 1380 1228 cmd.exe 86 PID 2024 wrote to memory of 2372 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 40 PID 2024 wrote to memory of 2468 2024 6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe 41
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2372
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe"C:\Users\Admin\AppData\Local\Temp\6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6d768a860ccf91cc9cb4d127dd648d3b91d99e8c3467a8c45e5b0eb2a01acc3d.exe" /f3⤵
- Adds Run key to start application
PID:1380
-
-