Analysis
-
max time kernel
55s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 06:42
Behavioral task
behavioral1
Sample
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Resource
win7-20220715-en
General
-
Target
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
-
Size
756KB
-
MD5
29576b605f9b997bbb7bb7290dc63a8b
-
SHA1
a4ece5227c704039ac4556d8b2d5832404239f93
-
SHA256
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2
-
SHA512
c6d246ca7126a4cd6e828ba6b283c446530d513f8be5ef546fba4e13061e39dad2dfc40c408129999af23960f3a6de3250caac56920f8499d2fcd711e7272b96
Malware Config
Signatures
-
Processes:
iexplore.exe58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3956 attrib.exe 492 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe -
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exedescription pid process target process PID 4828 set thread context of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeSecurityPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeTakeOwnershipPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeLoadDriverPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeSystemProfilePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeSystemtimePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeProfSingleProcessPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeIncBasePriorityPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeCreatePagefilePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeBackupPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeRestorePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeShutdownPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeDebugPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeSystemEnvironmentPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeChangeNotifyPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeRemoteShutdownPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeUndockPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeManageVolumePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeImpersonatePrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeCreateGlobalPrivilege 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: 33 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: 34 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: 35 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: 36 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe Token: SeIncreaseQuotaPrivilege 3460 iexplore.exe Token: SeSecurityPrivilege 3460 iexplore.exe Token: SeTakeOwnershipPrivilege 3460 iexplore.exe Token: SeLoadDriverPrivilege 3460 iexplore.exe Token: SeSystemProfilePrivilege 3460 iexplore.exe Token: SeSystemtimePrivilege 3460 iexplore.exe Token: SeProfSingleProcessPrivilege 3460 iexplore.exe Token: SeIncBasePriorityPrivilege 3460 iexplore.exe Token: SeCreatePagefilePrivilege 3460 iexplore.exe Token: SeBackupPrivilege 3460 iexplore.exe Token: SeRestorePrivilege 3460 iexplore.exe Token: SeShutdownPrivilege 3460 iexplore.exe Token: SeDebugPrivilege 3460 iexplore.exe Token: SeSystemEnvironmentPrivilege 3460 iexplore.exe Token: SeChangeNotifyPrivilege 3460 iexplore.exe Token: SeRemoteShutdownPrivilege 3460 iexplore.exe Token: SeUndockPrivilege 3460 iexplore.exe Token: SeManageVolumePrivilege 3460 iexplore.exe Token: SeImpersonatePrivilege 3460 iexplore.exe Token: SeCreateGlobalPrivilege 3460 iexplore.exe Token: 33 3460 iexplore.exe Token: 34 3460 iexplore.exe Token: 35 3460 iexplore.exe Token: 36 3460 iexplore.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.execmd.execmd.exedescription pid process target process PID 4828 wrote to memory of 5020 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 5020 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 5020 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 3964 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 3964 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 3964 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe cmd.exe PID 4828 wrote to memory of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe PID 4828 wrote to memory of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe PID 4828 wrote to memory of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe PID 4828 wrote to memory of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe PID 4828 wrote to memory of 3460 4828 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe iexplore.exe PID 5020 wrote to memory of 3956 5020 cmd.exe attrib.exe PID 5020 wrote to memory of 3956 5020 cmd.exe attrib.exe PID 5020 wrote to memory of 3956 5020 cmd.exe attrib.exe PID 3964 wrote to memory of 492 3964 cmd.exe attrib.exe PID 3964 wrote to memory of 492 3964 cmd.exe attrib.exe PID 3964 wrote to memory of 492 3964 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3956 attrib.exe 492 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe"C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe"1⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken