1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28-04-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MethamphetamineSolutionsLoader.exe
Size

8.0MB
MD5

760862da38d026ae351dca91202add60
SHA1

ae1def931735a30a44e93a66afa2e72d9d72d8e9
SHA256

1a6fd38ece3d73b6612263fed6de4c553cbb46d6e5637e6cd6214ade39b81782
SHA512

c529abf8099c96b0cfffa023f6d5b6b5dc2c2bcb73e1720042a8a842904cba068d7dcad873019b790fe125670331c791122eb8806fe91711a01987bda2d79bd8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1448	RtgNSlMYtFvlTt52WHci.exe
4800	netmonitor.exe
4564	svchost.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RtgNSlMYtFvlTt52WHci.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	MethamphetamineSolutionsLoader.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe	netmonitor.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\f4d236fdec2fd03914189c3b26e5cb0dfea9d761	netmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3792	4564	WerFault.exe	102

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4128	schtasks.exe
5084	schtasks.exe
4692	schtasks.exe
4436	schtasks.exe
4740	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	MethamphetamineSolutionsLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	RtgNSlMYtFvlTt52WHci.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	netmonitor.exe
4564	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	netmonitor.exe
Token: SeDebugPrivilege	4564	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	81
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	81
PID 3420 wrote to memory of 2140	3420	MethamphetamineSolutionsLoader.exe	81
PID 2140 wrote to memory of 2552	2140	WScript.exe	82
PID 2140 wrote to memory of 2552	2140	WScript.exe	82
PID 2140 wrote to memory of 2552	2140	WScript.exe	82
PID 2552 wrote to memory of 1448	2552	cmd.exe	84
PID 2552 wrote to memory of 1448	2552	cmd.exe	84
PID 2552 wrote to memory of 1448	2552	cmd.exe	84
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	85
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	85
PID 1448 wrote to memory of 1972	1448	RtgNSlMYtFvlTt52WHci.exe	85
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	86
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	86
PID 1448 wrote to memory of 2124	1448	RtgNSlMYtFvlTt52WHci.exe	86
PID 1972 wrote to memory of 3188	1972	WScript.exe	87
PID 1972 wrote to memory of 3188	1972	WScript.exe	87
PID 1972 wrote to memory of 3188	1972	WScript.exe	87
PID 3188 wrote to memory of 4800	3188	cmd.exe	89
PID 3188 wrote to memory of 4800	3188	cmd.exe	89
PID 4800 wrote to memory of 4128	4800	netmonitor.exe	90
PID 4800 wrote to memory of 4128	4800	netmonitor.exe	90
PID 4800 wrote to memory of 5084	4800	netmonitor.exe	92
PID 4800 wrote to memory of 5084	4800	netmonitor.exe	92
PID 4800 wrote to memory of 4692	4800	netmonitor.exe	94
PID 4800 wrote to memory of 4692	4800	netmonitor.exe	94
PID 4800 wrote to memory of 4436	4800	netmonitor.exe	96
PID 4800 wrote to memory of 4436	4800	netmonitor.exe	96
PID 4800 wrote to memory of 4740	4800	netmonitor.exe	98
PID 4800 wrote to memory of 4740	4800	netmonitor.exe	98
PID 4800 wrote to memory of 4564	4800	netmonitor.exe	102
PID 4800 wrote to memory of 4564	4800	netmonitor.exe	102

C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe
"C:\Users\Admin\AppData\Local\Temp\MethamphetamineSolutionsLoader.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe
      RtgNSlMYtFvlTt52WHci.exe -p721e19c01b35f90a5d4059aedd8f740b779e743b
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\ProgramData\Oracle\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:5084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4740
        
        C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4564 -s 1892
        9⤵
        Program crash
        
        PID:3792
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs"
        5⤵
        
        PID:2124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4564 -ip 4564
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\svchost.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\3hvxTv4ZROtMpYMGDajjCJWH8roHGs.bat

Filesize
35B

MD5
4b64bbf9c835fdb21a4fd461d38a3a65

SHA1
5fff8b8e5c48a0e8de844b42c771041ffcdb84af

SHA256
ecfc21fd14339226b1c2e0a40be6fe6c590ac05cab44b16e7db397f9471f4ddf

SHA512
c11f3ed222b7fdceae583ec0bd9156a0beb030058edfc3c6656d4738e2cdd2b1dccd5b11d13ed53160970258c80cb0baa4ef5592411cb23c077b1e99c7d56892

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\4mdxDUI6yqvmVknEtk7bYzbiBR8MHO.vbe

Filesize
227B

MD5
abdcd2987b40e0022f1f4f782e5e289b

SHA1
fc5606a2292d892a0866858e1f822a0fd18e452b

SHA256
6ef2819df6d9e68e766c153dd3ada646d70c0f8cd1326c7dc2eff9b6f4681f5a

SHA512
9376bd090379e0fd1bd223e1484974da6630de1de17ef8049c0361dd531e24fb7873cab4d1151c78409a22827e38606fd73fb91d501b782fde40a9a5cd28e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\FvrnkODJoiUIyeHAEoTP0Qn5ZC7TdH.vbe

Filesize
151B

MD5
90c3382006ed7324e7abf37fb98894f9

SHA1
b54b59c945f8cc5bef2c66361eaac9bfdcab7960

SHA256
9505847a0d9c07c385abb1e236c5ef2d3763e69c9eb8d7faba37486d31e0827e

SHA512
b0b4ed5929d980abef8027c8861057a7910ab5f5f64d08bb9667d4ddaea906c6330eb28a5bce7fe6daf872bb18eefd3e148a900b66b3079411c0b7d9da6dc9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\MOS

Filesize
123B

MD5
a96f5f02c199e5179c09381c73f74232

SHA1
815ae72244d01d7491e3c9e1764180164ed9f0de

SHA256
31f4fd990ffee590b8e3a70c66fdd7d18cb18869dea7d1a73a7e898c6d2e2a74

SHA512
8eb5a654adc07373f0557205f674aace467a9cb5be2f6ea9a253e13846a5fc3078b42f836428f040f9c9a23a757a33df05ba61f0c1406f112aaa54cd4b8cccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe

Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\RtgNSlMYtFvlTt52WHci.exe

Filesize
1.3MB

MD5
98b49b687aad9b0dcccebaa71d43747d

SHA1
1966ff6f232856e7e25b66f570a02c54960dd1f6

SHA256
d4ca9a4ea5d070206824a2b68921c4bdfa7bf038e0f82cfeb0472b17881fbcaf

SHA512
02b6a009eca115e09e6228e834ba0654c2804a0b07fda088116412a71f45b59c25f24ab7ceb54a7c1c5d628395e7bc55b94f0240c7438571c4e0c2a9db208ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\msg.vbs

Filesize
128B

MD5
01c71ea2d98437129936261c48403132

SHA1
dc689fb68a3e7e09a334e7a37c0d10d0641af1a6

SHA256
0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061

SHA512
a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\netmonitor.exe

Filesize
1.6MB

MD5
22097aca271c6d085b703bc64422b4b3

SHA1
a1e7d6cddc40cdcb675ecd72404d5cec66f7be5b

SHA256
4b111342f4fc80eb249bf89f3352b067d0591b9ffb24a74b49a301af5deef133

SHA512
9eb7452981524698e4dc0db065614cea5d7f422f386801d57eca6dd93d67a686d573cd241b045f1fe9033c204f33b27861ed5b139004b65b4f07be9426969603

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitordhcp\z1T7e01kTYgKk52k4EOgwkfTxey3zt.bat

Filesize
625B

MD5
6176c194ea1490ee585985a9374a7f63

SHA1
eff00b803ad20094c8a8121d81af3e12aae32a43

SHA256
72fc248e868a01f354f6d679389d7b75e6cb53212367221b9599c753a7abe095

SHA512
09ebe600cccdbdbe2441b8d147531fe9470a5c7103cf70e71d45d8176d59e3343dbe26e7aab8a1be3356546ee11c7c367857c1452a4a1bc65df21ceb9ae3513d

Download Submit
memory/4564-158-0x00007FF875CE0000-0x00007FF8767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-149-0x000001FD8D180000-0x000001FD8D19A000-memory.dmp

Filesize
104KB

Download
memory/4800-148-0x00007FF875CE0000-0x00007FF8767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-147-0x000001FD8B490000-0x000001FD8B638000-memory.dmp

Filesize
1.7MB

Download