1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28-04-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MethamphetamineSolutionsLoader.exe
Size

8.0MB
MD5

760862da38d026ae351dca91202add60
SHA1

ae1def931735a30a44e93a66afa2e72d9d72d8e9
SHA256

1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782
SHA512

c529abf8099c96b0cfffa023f6d5b6b5dc2c2bcb73e1720042a8a842904cba068d7dcad873019b790fe125670331c791122eb8806fe91711a01987bda2d79bd8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

RtgNSlMYtFvlTt52WHci.exenetmonitor.exesvchost.exe

pid process

1448 RtgNSlMYtFvlTt52WHci.exe
4800 netmonitor.exe
4564 svchost.exe

pid	process
1448	RtgNSlMYtFvlTt52WHci.exe
4800	netmonitor.exe
4564	svchost.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeRtgNSlMYtFvlTt52WHci.exeWScript.exeMethamphetamineSolutionsLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RtgNSlMYtFvlTt52WHci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	MethamphetamineSolutionsLoader.exe

Drops file in Program Files directory 2 IoCs

Processes:

netmonitor.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe	netmonitor.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\f4d236fdec2fd03914189c3b26e5cb0dfea9d761	netmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 4564 WerFault.exe svchost.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4128 schtasks.exe
5084 schtasks.exe
4692 schtasks.exe
4436 schtasks.exe
4740 schtasks.exe

pid	pid_target	process	target process
3792	4564	WerFault.exe	svchost.exe

pid	process
4128	schtasks.exe
5084	schtasks.exe
4692	schtasks.exe
4436	schtasks.exe
4740	schtasks.exe

Modifies registry class 2 IoCs

Processes:

MethamphetamineSolutionsLoader.exeRtgNSlMYtFvlTt52WHci.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	MethamphetamineSolutionsLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	RtgNSlMYtFvlTt52WHci.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

netmonitor.exesvchost.exe

pid process

4800 netmonitor.exe
4564 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

netmonitor.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4800 netmonitor.exe
Token: SeDebugPrivilege 4564 svchost.exe

pid	process
4800	netmonitor.exe
4564	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4800	netmonitor.exe
Token: SeDebugPrivilege	4564	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

MethamphetamineSolutionsLoader.exeWScript.execmd.exeRtgNSlMYtFvlTt52WHci.exeWScript.execmd.exenetmonitor.exe

description	pid	process	target process
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	WScript.exe
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	WScript.exe
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	WScript.exe
PID 2140 wrote to memory of 2552	2140	WScript.exe	cmd.exe
PID 2140 wrote to memory of 2552	2140	WScript.exe	cmd.exe
PID 2140 wrote to memory of 2552	2140	WScript.exe	cmd.exe
PID 2552 wrote to memory of 1448	2552	cmd.exe	RtgNSlMYtFvlTt52WHci.exe
PID 2552 wrote to memory of 1448	2552	cmd.exe	RtgNSlMYtFvlTt52WHci.exe
PID 2552 wrote to memory of 1448	2552	cmd.exe	RtgNSlMYtFvlTt52WHci.exe
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	WScript.exe
PID 1972 wrote to memory of 3188	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 3188	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 3188	1972	WScript.exe	cmd.exe
PID 3188 wrote to memory of 4800	3188	cmd.exe	netmonitor.exe
PID 3188 wrote to memory of 4800	3188	cmd.exe	netmonitor.exe
PID 4800 wrote to memory of 4128	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4128	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 5084	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 5084	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4692	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4692	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4436	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4436	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4740	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4740	4800	netmonitor.exe	schtasks.exe
PID 4800 wrote to memory of 4564	4800	netmonitor.exe	svchost.exe
PID 4800 wrote to memory of 4564	4800	netmonitor.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe
"C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe
RtgNSlMYtFvlTt52WHci.exe -p721e19c01b35f90a5d4059aedd8f740b779e743b
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe
"C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\ProgramData\Oracle\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4436

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4740

C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe
"C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4564 -s 1892
9⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs"
5⤵
PID:2124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4564 -ip 4564
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe
Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe
Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat
Filesize
35B

MD5
4b64bbf9c835fdb21a4fd461d38a3a65

SHA1
5fff8b8e5c48a0e8de844b42c771041ffcdb84af

SHA256
ecfc21fd14339226b1c2e0a40be6fe6c590ac05cab44b16e7db397f9471f4ddf

SHA512
c11f3ed222b7fdceae583ec0bd9156a0beb030058edfc3c6656d4738e2cdd2b1dccd5b11d13ed53160970258c80cb0baa4ef5592411cb23c077b1e99c7d56892

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe
Filesize
227B

MD5
abdcd2987b40e0022f1f4f782e5e289b

SHA1
fc5606a2292d892a0866858e1f822a0fd18e452b

SHA256
6ef2819df6d9e68e766c153dd3ada646d70c0f8cd1326c7dc2eff9b6f4681f5a

SHA512
9376bd090379e0fd1bd223e1484974da6630de1de17ef8049c0361dd531e24fb7873cab4d1151c78409a22827e38606fd73fb91d501b782fde40a9a5cd28e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe
Filesize
151B

MD5
90c3382006ed7324e7abf37fb98894f9

SHA1
b54b59c945f8cc5bef2c66361eaac9bfdcab7960

SHA256
9505847a0d9c07c385abb1e236c5ef2d3763e69c9eb8d7faba37486d31e0827e

SHA512
b0b4ed5929d980abef8027c8861057a7910ab5f5f64d08bb9667d4ddaea906c6330eb28a5bce7fe6daf872bb18eefd3e148a900b66b3079411c0b7d9da6dc9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\MOS
Filesize
123B

MD5
a96f5f02c199e5179c09381c73f74232

SHA1
815ae72244d01d7491e3c9e1764180164ed9f0de

SHA256
31f4fd990ffee590b8e3a70c66fdd7d18cb18869dea7d1a73a7e898c6d2e2a74

SHA512
8eb5a654adc07373f0557205f674aace467a9cb5be2f6ea9a253e13846a5fc3078b42f836428f040f9c9a23a757a33df05ba61f0c1406f112aaa54cd4b8cccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe
Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe
Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs
Filesize
128B

MD5
01c71ea2d98437129936261c48403132

SHA1
dc689fb68a3e7e09a334e7a37c0d10d0641af1a6

SHA256
0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061

SHA512
a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe
Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe
Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat
Filesize
625B

MD5
6176c194ea1490ee585985a9374a7f63

SHA1
eff00b803ad20094c8a8121d81af3e12aae32a43

SHA256
72fc248e868a01f354f6d679389d7b75e6cb53212367221b9599c753a7abe095

SHA512
09ebe600cccdbdbe2441b8d147531fe9470a5c7103cf70e71d45d8176d59e3343dbe26e7aab8a1be3356546ee11c7c367857c1452a4a1bc65df21ceb9ae3513d

Download Submit
memory/1448-134-0x0000000000000000-mapping.dmp

Download
memory/1972-137-0x0000000000000000-mapping.dmp

Download
memory/2124-138-0x0000000000000000-mapping.dmp

Download
memory/2140-130-0x0000000000000000-mapping.dmp

Download
memory/2552-133-0x0000000000000000-mapping.dmp

Download
memory/3188-143-0x0000000000000000-mapping.dmp

Download
memory/4128-150-0x0000000000000000-mapping.dmp

Download
memory/4436-153-0x0000000000000000-mapping.dmp

Download
memory/4564-158-0x00007FF875CE0000-0x00007FF8767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-155-0x0000000000000000-mapping.dmp

Download
memory/4692-152-0x0000000000000000-mapping.dmp

Download
memory/4740-154-0x0000000000000000-mapping.dmp

Download
memory/4800-144-0x0000000000000000-mapping.dmp

Download
memory/4800-149-0x000001FD8D180000-0x000001FD8D19A000-memory.dmp

Filesize
104KB

Download
memory/4800-148-0x00007FF875CE0000-0x00007FF8767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-147-0x000001FD8B490000-0x000001FD8B638000-memory.dmp

Filesize
1.7MB

Download
memory/5084-151-0x0000000000000000-mapping.dmp

Download