Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
Resource
win10v2004-20220414-en
General
-
Target
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
-
Size
47KB
-
MD5
541dce93da456fd7830cda46a9d07941
-
SHA1
b08b3bfd5556f18b8c696925146985a86ee72fdd
-
SHA256
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
-
SHA512
6d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fontdrvhost.exepid process 1476 fontdrvhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe -
Drops startup file 2 IoCs
Processes:
fontdrvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2a55ad550e466e179f88a710a29a16af.exe fontdrvhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2a55ad550e466e179f88a710a29a16af.exe fontdrvhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a55ad550e466e179f88a710a29a16af = "\"C:\\Users\\Admin\\AppData\\Roaming\\fontdrvhost.exe\" .." fontdrvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2a55ad550e466e179f88a710a29a16af = "\"C:\\Users\\Admin\\AppData\\Roaming\\fontdrvhost.exe\" .." fontdrvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
fontdrvhost.exedescription pid process Token: SeDebugPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe Token: 33 1476 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1476 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exefontdrvhost.exedescription pid process target process PID 1268 wrote to memory of 1476 1268 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1268 wrote to memory of 1476 1268 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1268 wrote to memory of 1476 1268 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1476 wrote to memory of 4988 1476 fontdrvhost.exe netsh.exe PID 1476 wrote to memory of 4988 1476 fontdrvhost.exe netsh.exe PID 1476 wrote to memory of 4988 1476 fontdrvhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe"C:\Users\Admin\AppData\Local\Temp\3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\fontdrvhost.exe" "fontdrvhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeFilesize
47KB
MD5541dce93da456fd7830cda46a9d07941
SHA1b08b3bfd5556f18b8c696925146985a86ee72fdd
SHA2563b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
SHA5126d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeFilesize
47KB
MD5541dce93da456fd7830cda46a9d07941
SHA1b08b3bfd5556f18b8c696925146985a86ee72fdd
SHA2563b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
SHA5126d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
-
memory/1268-130-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/1268-131-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/1268-136-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/1476-132-0x0000000000000000-mapping.dmp
-
memory/1476-135-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/1476-137-0x00000000746B0000-0x0000000074C61000-memory.dmpFilesize
5.7MB
-
memory/4988-138-0x0000000000000000-mapping.dmp