a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3

Resubmissions

24-02-2022 11:14

220224-nb4r6schd4 10

22-02-2022 08:33

220222-kfyj6sfggn 8

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
Size

267KB
MD5

e99b341dfd3147e5bbb385e7cc5e5e17
SHA1

e5d152281a61be6db5f3d8d42d985210c4faf283
SHA256

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3
SHA512

74d9a6d521dcc6a74c47511185efa3d026d72ee03e4986fb700c1c0555a5511cc7f2c85de9ad2da6373683f3578275c3f7561f664115bfaa054be32b05bcd14c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4120	Mc.exe
1732	Mc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe

Loads dropped DLL 2 IoCs

pid	Process
4120	Mc.exe
1732	Mc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe
File opened for modification	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File created	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64	Mc.exe
File opened for modification	C:\Windows\SysWOW64	Mc.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	Mc.exe
Token: SeTcbPrivilege	4120	Mc.exe
Token: SeDebugPrivilege	1732	Mc.exe
Token: SeTcbPrivilege	1732	Mc.exe
Token: SeShutdownPrivilege	4312	svchost.exe
Token: SeCreatePagefilePrivilege	4312	svchost.exe
Token: SeShutdownPrivilege	4312	svchost.exe
Token: SeCreatePagefilePrivilege	4312	svchost.exe
Token: SeShutdownPrivilege	4312	svchost.exe
Token: SeCreatePagefilePrivilege	4312	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 4120	3376	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	81
PID 3376 wrote to memory of 4120	3376	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	81
PID 3376 wrote to memory of 4120	3376	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	81

C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
"C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4120

C:\Windows\SysWOW64\Mc.exe
C:\Windows\SysWOW64\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-143-0x0000000000500000-0x0000000000527000-memory.dmp

Filesize
156KB

Download
memory/4120-140-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4120-141-0x0000000002120000-0x0000000002220000-memory.dmp

Filesize
1024KB

Download
memory/4120-142-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/4312-144-0x000001ADF1560000-0x000001ADF1570000-memory.dmp

Filesize
64KB

Download
memory/4312-145-0x000001ADF1B20000-0x000001ADF1B30000-memory.dmp

Filesize
64KB

Download
memory/4312-146-0x000001ADF41E0000-0x000001ADF41E4000-memory.dmp

Filesize
16KB

Download