a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

General

Target

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
Size

171KB
MD5

567407d941d99abeff20a1b836570d30
SHA1

e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b
SHA256

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510
SHA512

514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2692	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	83
PID 532 wrote to memory of 2692	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	83
PID 532 wrote to memory of 2296	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	59
PID 2692 wrote to memory of 2040	2692	cmd.exe	85
PID 2692 wrote to memory of 2040	2692	cmd.exe	85
PID 532 wrote to memory of 2348	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	25
PID 532 wrote to memory of 2464	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	26
PID 532 wrote to memory of 2964	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	52
PID 532 wrote to memory of 3244	532	a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe	31

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2348

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2964

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
"C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-130-0x00007FF64D050000-0x00007FF64D3DE000-memory.dmp

Filesize
3.6MB

Download
memory/2348-131-0x00007FF64D050000-0x00007FF64D3DE000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing