5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1

Analysis

max time kernel
97s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe
Size

412KB
MD5

7a26bbd7b5942b49fc0a9cb7268bd030
SHA1

30659b4f335ececdfe272b6cddeb9dbb57ccd81b
SHA256

5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1
SHA512

68c04a97868fccce177cd395cf3dad72fa8f7a14917fa852efcd975b88aec0e2840b7d437e8ad57cd39eeaae31dc6fe38095509d15211c712f505abc71c17e53

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow	pid	Process
8	1740	WScript.exe
10	1740	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\msconfig.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\msconfig.vbs"	reg.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid	Process
1584	sc.exe
656	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

pid	Process
1496	reg.exe
340	reg.exe
1808	reg.exe
3288	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.execmd.exenet.exe

description	pid	Process	procid_target
PID 4192 wrote to memory of 1324	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	81
PID 4192 wrote to memory of 1324	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	81
PID 4192 wrote to memory of 1324	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	81
PID 1324 wrote to memory of 1808	1324	cmd.exe	84
PID 1324 wrote to memory of 1808	1324	cmd.exe	84
PID 1324 wrote to memory of 1808	1324	cmd.exe	84
PID 1324 wrote to memory of 3288	1324	cmd.exe	85
PID 1324 wrote to memory of 3288	1324	cmd.exe	85
PID 1324 wrote to memory of 3288	1324	cmd.exe	85
PID 1324 wrote to memory of 1496	1324	cmd.exe	86
PID 1324 wrote to memory of 1496	1324	cmd.exe	86
PID 1324 wrote to memory of 1496	1324	cmd.exe	86
PID 1324 wrote to memory of 340	1324	cmd.exe	87
PID 1324 wrote to memory of 340	1324	cmd.exe	87
PID 1324 wrote to memory of 340	1324	cmd.exe	87
PID 1324 wrote to memory of 228	1324	cmd.exe	88
PID 1324 wrote to memory of 228	1324	cmd.exe	88
PID 1324 wrote to memory of 228	1324	cmd.exe	88
PID 1324 wrote to memory of 656	1324	cmd.exe	89
PID 1324 wrote to memory of 656	1324	cmd.exe	89
PID 1324 wrote to memory of 656	1324	cmd.exe	89
PID 1324 wrote to memory of 1584	1324	cmd.exe	90
PID 1324 wrote to memory of 1584	1324	cmd.exe	90
PID 1324 wrote to memory of 1584	1324	cmd.exe	90
PID 1324 wrote to memory of 2296	1324	cmd.exe	91
PID 1324 wrote to memory of 2296	1324	cmd.exe	91
PID 1324 wrote to memory of 2296	1324	cmd.exe	91
PID 2296 wrote to memory of 3948	2296	net.exe	92
PID 2296 wrote to memory of 3948	2296	net.exe	92
PID 2296 wrote to memory of 3948	2296	net.exe	92
PID 4192 wrote to memory of 1740	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	93
PID 4192 wrote to memory of 1740	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	93
PID 4192 wrote to memory of 1740	4192	5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe	93

C:\Users\Admin\AppData\Local\Temp\5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe
"C:\Users\Admin\AppData\Local\Temp\5792e156c48d279799a616b47d7a795efbdf2563581ef2c10f17733cd7cfd9b1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\msconfig.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msconfig.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msconfig.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msconfig.vbs" /f
    3⤵
    - Modifies registry key
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msconfig.vbs" /f
    3⤵
    - Modifies registry key
    PID:340
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:228
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:656
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= Auto
    3⤵
    - Launches sc.exe
    PID:1584
- - C:\Windows\SysWOW64\net.exe
    net stop srservice
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      PID:3948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\msconfig.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msconfig.bat

Filesize
1KB

MD5
92cab96baa6165c540b790ff11b2a01d

SHA1
8a3bdf48476ea3adb356e663f2efc9a3dc28b7fc

SHA256
9ac5b05ce99352d18321dbd660a489359e531b7838c6c6292eb2eeb07b1a08e4

SHA512
0f1ed671c0cb7f38da648de8a44990edd14e694cf16eed60a35da989dd0d825420f2a3091b11ea93313472b1eb3388f02ba8b1b26230bd9cdbbfa1aefcd026d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msconfig.vbs

Filesize
31KB

MD5
56f6087b9e1f7b00737d9a2ce88f2a30

SHA1
1c5d05fa5e63abfa54161909eff2b44d6ba0f87b

SHA256
dafa1695d053b53f4a74b34fde6441094c8775d61d67a2b72eb7267685846343

SHA512
90af78fbe2822cc17077d4fd9c8a6be509db33801a613dd0b56a07b182073e7edf28c692a86258bf59dd1d979e6d930c68784bd47e47068c95ac1978029e1730

Download Submit
memory/228-136-0x0000000000000000-mapping.dmp

Download
memory/340-135-0x0000000000000000-mapping.dmp

Download
memory/656-137-0x0000000000000000-mapping.dmp

Download
memory/1324-130-0x0000000000000000-mapping.dmp

Download
memory/1496-134-0x0000000000000000-mapping.dmp

Download
memory/1584-138-0x0000000000000000-mapping.dmp

Download
memory/1740-141-0x0000000000000000-mapping.dmp

Download
memory/1808-132-0x0000000000000000-mapping.dmp

Download
memory/2296-139-0x0000000000000000-mapping.dmp

Download
memory/3288-133-0x0000000000000000-mapping.dmp

Download
memory/3948-140-0x0000000000000000-mapping.dmp

Download