Analysis
-
max time kernel
33s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Resource
win10v2004-en-20220113
General
-
Target
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
-
Size
200KB
-
MD5
c8325c660ea72a8eb5281898f7a87f34
-
SHA1
dd318ffdd4b1081733dccf95cddb4e000814e005
-
SHA256
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1
-
SHA512
835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
YvrCxCd.exepid process 1280 YvrCxCd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation YvrCxCd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exepid process 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe 1280 YvrCxCd.exe 1280 YvrCxCd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exedescription pid process Token: SeDebugPrivilege 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe Token: SeBackupPrivilege 1280 YvrCxCd.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exenet.exenet.exeYvrCxCd.exenet.exenet.exedescription pid process target process PID 2460 wrote to memory of 1280 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe YvrCxCd.exe PID 2460 wrote to memory of 1280 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe YvrCxCd.exe PID 2460 wrote to memory of 2344 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe sihost.exe PID 2460 wrote to memory of 484 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe net.exe PID 2460 wrote to memory of 484 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe net.exe PID 2460 wrote to memory of 2372 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe svchost.exe PID 2460 wrote to memory of 2216 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe net.exe PID 2460 wrote to memory of 2216 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe net.exe PID 484 wrote to memory of 3588 484 net.exe net1.exe PID 484 wrote to memory of 3588 484 net.exe net1.exe PID 2216 wrote to memory of 2324 2216 net.exe net1.exe PID 2216 wrote to memory of 2324 2216 net.exe net1.exe PID 2460 wrote to memory of 2468 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe taskhostw.exe PID 2460 wrote to memory of 1148 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe svchost.exe PID 1280 wrote to memory of 3584 1280 YvrCxCd.exe net.exe PID 1280 wrote to memory of 3584 1280 YvrCxCd.exe net.exe PID 3584 wrote to memory of 1576 3584 net.exe net1.exe PID 3584 wrote to memory of 1576 3584 net.exe net1.exe PID 1280 wrote to memory of 3024 1280 YvrCxCd.exe net.exe PID 1280 wrote to memory of 3024 1280 YvrCxCd.exe net.exe PID 3024 wrote to memory of 1116 3024 net.exe net1.exe PID 3024 wrote to memory of 1116 3024 net.exe net1.exe PID 2460 wrote to memory of 3248 2460 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe DllHost.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe"C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe"C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exeMD5
c8325c660ea72a8eb5281898f7a87f34
SHA1dd318ffdd4b1081733dccf95cddb4e000814e005
SHA25618faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1
SHA512835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c
-
C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exeMD5
c8325c660ea72a8eb5281898f7a87f34
SHA1dd318ffdd4b1081733dccf95cddb4e000814e005
SHA25618faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1
SHA512835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c
-
memory/2344-135-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmpFilesize
2.8MB
-
memory/2372-136-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmpFilesize
2.8MB