Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 19:03
Static task
static1
Behavioral task
behavioral1
Sample
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
Resource
win10v2004-20220414-en
General
-
Target
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe
-
Size
534KB
-
MD5
d40ac2e569fa68fa0bb8a4174cade913
-
SHA1
c5671c34df1366dede12175e1f4764810a50f78f
-
SHA256
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
-
SHA512
45ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 3496 dllhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2372ce2aec065ce2621c091aa8fb2a0.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2372ce2aec065ce2621c091aa8fb2a0.exe dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c2372ce2aec065ce2621c091aa8fb2a0 = "\"C:\\Users\\Admin\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c2372ce2aec065ce2621c091aa8fb2a0 = "\"C:\\Users\\Admin\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
dllhost.exepid process 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe 3496 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 3496 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exedllhost.exedescription pid process target process PID 4620 wrote to memory of 3496 4620 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 4620 wrote to memory of 3496 4620 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 4620 wrote to memory of 3496 4620 c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe dllhost.exe PID 3496 wrote to memory of 1276 3496 dllhost.exe netsh.exe PID 3496 wrote to memory of 1276 3496 dllhost.exe netsh.exe PID 3496 wrote to memory of 1276 3496 dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe"C:\Users\Admin\AppData\Local\Temp\c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\dllhost.exe"C:\Users\Admin\dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\dllhost.exeFilesize
534KB
MD5d40ac2e569fa68fa0bb8a4174cade913
SHA1c5671c34df1366dede12175e1f4764810a50f78f
SHA256c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
SHA51245ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
-
C:\Users\Admin\dllhost.exeFilesize
534KB
MD5d40ac2e569fa68fa0bb8a4174cade913
SHA1c5671c34df1366dede12175e1f4764810a50f78f
SHA256c4f47067013e3c7ac4fb0ce8457b69a71b073d8f10155e39aaea0c5e5eb7000d
SHA51245ad244f2bf1765d53f96d53f31129b26311f848688232822791032c49825c488835f2e1fbd8d87377758f20d81081c70e3d32a088cd0e0ae476109d1200855a
-
memory/1276-136-0x0000000000000000-mapping.dmp
-
memory/3496-133-0x0000000000000000-mapping.dmp
-
memory/3496-137-0x0000000005CB0000-0x0000000005D42000-memory.dmpFilesize
584KB
-
memory/3496-138-0x0000000005D80000-0x0000000005D8A000-memory.dmpFilesize
40KB
-
memory/4620-130-0x00000000008A0000-0x000000000092C000-memory.dmpFilesize
560KB
-
memory/4620-131-0x0000000005330000-0x00000000053CC000-memory.dmpFilesize
624KB
-
memory/4620-132-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB