318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8

Analysis

max time kernel
43s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe
Size

146KB
MD5

7a848ae6229c0d40c7ebe455ce9dd5f7
SHA1

a3a7647fb25c6c037848546d143b8f968c4c6b82
SHA256

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8
SHA512

0b7a22354354ecdc53678297bf10e7b721c41c701d21333b65fe063b18879e77d25be3d57f83590f875a513a747ed5f9a1a0f1e72b4119d159896bdec3437a50

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

pid	process
1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe
1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

description pid process

Token: SeDebugPrivilege 1300 318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

description	pid	process
Token: SeDebugPrivilege	1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe

description	pid	process	target process
PID 1300 wrote to memory of 2944	1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe	cmd.exe
PID 1300 wrote to memory of 2944	1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe	cmd.exe
PID 1300 wrote to memory of 2312	1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe	sihost.exe
PID 1300 wrote to memory of 2340	1300	318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe	svchost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe
"C:\Users\Admin\AppData\Local\Temp\318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8.exe" /f
2⤵
PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-130-0x00007FF609C60000-0x00007FF609FE7000-memory.dmp

Filesize
3.5MB

Download
memory/2340-131-0x00007FF609C60000-0x00007FF609FE7000-memory.dmp

Filesize
3.5MB

Download