6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Size

179KB
MD5

84f2b1ef959d96970c899e581905c333
SHA1

57119042042e49e550c90a801c7ca15b8cf1b2ab
SHA256

6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99
SHA512

c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1612	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup32.3u.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup32.3u.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sidebar(32.3u) = "C:\\Users\\Admin\\AppData\\Roaming\\ProgramFiles(32.3u)\\svchost.exe"	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sidebar(32.3u) = "C:\\Users\\Admin\\AppData\\Roaming\\ProgramFiles(32.3u)\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1612	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Token: SeDebugPrivilege	1612	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1612	4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe	85
PID 4588 wrote to memory of 1612	4588	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe	85

C:\Users\Admin\AppData\Local\Temp\6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
"C:\Users\Admin\AppData\Local\Temp\6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe
  "C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
c8e110d4f0fa3358d71e8759b61830f1

SHA1
82de544c2c0f7bf30fdf2044fb047106d7b094c3

SHA256
e3af569ed90c5283532bdc320551d1a5d674b989f38c9421855195fe0579fb5e

SHA512
0ea9babc2e63eceedc9ee5d404ff47908bf8c3b8983d822a670d31f78bbff489346d8375e437436fb044af5ce17232d4ce10f2a87f007dbb6415a3c7e7133601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_1504CB01E15745C324D88B59ACA8C10D

Filesize
490B

MD5
8877d510e3c8d5fab1679d40884da090

SHA1
1d6bb8277ec519f8d3337d3786e1e1b35f818b37

SHA256
d00400964ebdd17939571e41935916f1bc2a0943e7614b9bf0b4397e85238d39

SHA512
03a10cf8691043e78ff8bdfab682da4127f2216a8d557a35c7996caf6fea232d146b2c4150b2948c564903db5b723b7a67e999aafc3b14fdf910437b9c07c715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
434B

MD5
5cc644e29a5e69790527b4f658809cf8

SHA1
f0f0be714d95c9d9b569b16387d11dcdc63f4f79

SHA256
035de5f600186f9e926fa9e637c98d0fcc187ad5c12a0c2703c8614767a2c990

SHA512
6206c10ca532e41e2e5d224dea880a2dddc66aa8a0c10a0d6d2123f937bf2895fc06e7eaae20185091f2393c012edf8f52040106944ab2797dbf24717f165d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_1504CB01E15745C324D88B59ACA8C10D

Filesize
404B

MD5
dbc3cc82334d9c0d8cfd52ee0758f02f

SHA1
6140315c396f814edbc1bec4ae7b2423baf52b31

SHA256
4733101519fbdd49e4699fd26cd8800ff79cb1e0555c843f675da2922e1be5b7

SHA512
3e72b778f105302820ea660c04475e4190fd3d8bad474d2353ec21beb09ab095f101b8fed4b894d88ee88833ec5d209577c78f65fa1fc1f93af0df721885ebb8

Download Submit
C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe

Filesize
179KB

MD5
84f2b1ef959d96970c899e581905c333

SHA1
57119042042e49e550c90a801c7ca15b8cf1b2ab

SHA256
6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

SHA512
c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Download Submit
C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe

Filesize
179KB

MD5
84f2b1ef959d96970c899e581905c333

SHA1
57119042042e49e550c90a801c7ca15b8cf1b2ab

SHA256
6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

SHA512
c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Download Submit
memory/1612-138-0x00007FF9DD380000-0x00007FF9DDDB6000-memory.dmp

Filesize
10.2MB

Download
memory/4588-130-0x00007FF9DD630000-0x00007FF9DE066000-memory.dmp

Filesize
10.2MB

Download