Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe
Resource
win10v2004-20220414-en
General
-
Target
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe
-
Size
144KB
-
MD5
71b87a615077fbe383a4632b0eb8f14d
-
SHA1
8da9f51e455a93c154a44ea63b29ccde657ec5a7
-
SHA256
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3
-
SHA512
c8d218822bbf76014e7fcb233622f2665ff2606613f93e09ad64194ea662cea2f63c24951be784a31789bcd38ed76f7e4dbf9f8ecd1c86ca6f41150418c4b50a
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe -
Drops file in System32 directory 2 IoCs
Processes:
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\qsch0st.exe 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe File opened for modification C:\Windows\SysWOW64\dllcache\qsch0st.exe 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exedescription pid process target process PID 3484 wrote to memory of 4448 3484 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe cmd.exe PID 3484 wrote to memory of 4448 3484 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe cmd.exe PID 3484 wrote to memory of 4448 3484 395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe"C:\Users\Admin\AppData\Local\Temp\395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\395C92~1.EXE >> NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3484-130-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3484-131-0x0000000000600000-0x0000000000630000-memory.dmpFilesize
192KB
-
memory/3484-133-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3484-134-0x0000000000600000-0x0000000000630000-memory.dmpFilesize
192KB
-
memory/4448-132-0x0000000000000000-mapping.dmp