Analysis
-
max time kernel
36s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 06:52
Static task
static1
Behavioral task
behavioral1
Sample
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
Resource
win10v2004-en-20220113
General
-
Target
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
-
Size
150KB
-
MD5
f763a2291bcb03be0e64bb3cd34b8424
-
SHA1
ce182b871f86dd2a54143288c559e9baa3e16b5c
-
SHA256
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71
-
SHA512
77850884db6a62e04f7eb0857ce16eefbe94dddd1451a8ad53a9a4bd3333e29aa1cb65e61550ab5517038fde928803246b8185b853cf1f62c462c55eaf71f647
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exepid process 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exedescription pid process Token: SeDebugPrivilege 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.execmd.exedescription pid process target process PID 4596 wrote to memory of 4780 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe cmd.exe PID 4596 wrote to memory of 4780 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe cmd.exe PID 4596 wrote to memory of 2340 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe sihost.exe PID 4780 wrote to memory of 3292 4780 cmd.exe reg.exe PID 4780 wrote to memory of 3292 4780 cmd.exe reg.exe PID 4596 wrote to memory of 2356 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe svchost.exe PID 4596 wrote to memory of 2472 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe taskhostw.exe PID 4596 wrote to memory of 808 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe svchost.exe PID 4596 wrote to memory of 3276 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe DllHost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2356
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:808
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe"C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f3⤵PID:3292