Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe
Resource
win7-20220414-en
General
-
Target
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe
-
Size
157KB
-
MD5
182e2cce08ee92c62f64752aaa23c369
-
SHA1
e47112a7f7ce5c3105249f043bb809daf490b7d8
-
SHA256
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
-
SHA512
b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2956 svchost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5934cc70b7761544be3a5ffb07586caa.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5934cc70b7761544be3a5ffb07586caa.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe Token: 33 2956 svchost.exe Token: SeIncBasePriorityPrivilege 2956 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exesvchost.exedescription pid process target process PID 4788 wrote to memory of 2956 4788 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 4788 wrote to memory of 2956 4788 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 4788 wrote to memory of 2956 4788 911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe svchost.exe PID 2956 wrote to memory of 3948 2956 svchost.exe netsh.exe PID 2956 wrote to memory of 3948 2956 svchost.exe netsh.exe PID 2956 wrote to memory of 3948 2956 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe"C:\Users\Admin\AppData\Local\Temp\911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵PID:3948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
157KB
MD5182e2cce08ee92c62f64752aaa23c369
SHA1e47112a7f7ce5c3105249f043bb809daf490b7d8
SHA256911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
SHA512b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
157KB
MD5182e2cce08ee92c62f64752aaa23c369
SHA1e47112a7f7ce5c3105249f043bb809daf490b7d8
SHA256911197fc5a71d61534e341e8d20a8f0bd4dc4d3ec253d327a3ae8e6375bb13a6
SHA512b66d06c7862641351c12b2c91cca3be32b1a8d35e9525e1447b14385b8dc81129f93b10b58ba6058de88818bc9209a6d54be24b4b8a0dda7cf9b53b0b19e4f6a
-
memory/2956-131-0x0000000000000000-mapping.dmp
-
memory/2956-134-0x0000000074A40000-0x0000000074FF1000-memory.dmpFilesize
5.7MB
-
memory/3948-135-0x0000000000000000-mapping.dmp
-
memory/4788-130-0x0000000074A40000-0x0000000074FF1000-memory.dmpFilesize
5.7MB