Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
0030834bf67509153237ac832bc68649.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0030834bf67509153237ac832bc68649.exe
Resource
win10v2004-20220812-en
General
-
Target
0030834bf67509153237ac832bc68649.exe
-
Size
351KB
-
MD5
0030834bf67509153237ac832bc68649
-
SHA1
1e4802307ae8e4a8c75bb384762f4cd6db676884
-
SHA256
bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
-
SHA512
9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taskhost .exepid process 4424 taskhost .exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0030834bf67509153237ac832bc68649.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation 0030834bf67509153237ac832bc68649.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskhost .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .." taskhost .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .." taskhost .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 6 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "52B1oNhfHYAr31mj+XEMmluPWM0G3HVdnXXdJYHQjNByRJVsg5DkIHwNvDxJMIWDNDxpKbWLdlh4LZQNaZ+Ukk5bPy2gLMeZ9uFXJxrrtDEaZB7T+VGlkRmubNheyvLjsr+Gpi8BTKNdObihHuGo0WizduLcKZljhgzJWM8kwwA=" 0030834bf67509153237ac832bc68649.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "2MUECT+A4VaCN8hFQ2EVWTKh40Z2uogrzU8p9+tVD/y6XrFyDlBoxDJJLVXgXPZCjYYRokgeU+SuyTI2FXSaeXsb3QsrRN3QmgCeup8lRwJaQfiI6GMB4v6PXZwYRskRF1lVNQcw/8Q7wsjJ2yCUhxMyr+ccoBqc9zvzPAP/aec=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "xjniDDbwKpwg3C4Z31/ndYQujHTnDwYir6+Rn/Sy8n4ArgejzhPUgCcMNKpZOa3dI7iv97cpyW/pnfYiKGmmkj5mu33LX3ZkQdkcvnD59ui1AQr/yZYF1qmh5QJqhqhWCdqm9H+Jie2nU1jhynQuYHxkZUXMLxXAL2MnyuSptM4=" taskhost .exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "eI0S7KcWSdMgqzwh30JHioUKGAvdiDRNPEiK86AGN1yLHAuvcaTUITZ3s0eUytuL/u/HIvr4KbjP/10zqMeuj0buJes8eIKr/wI1xoZmQ0e5m/JL2ZN3hci7pTYUaZ1oEIsAQn46FCXbCKU6HPu18BGpdXp7+RfX9Opw4/RgQpU=" taskhost .exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID\{47004F00-6500-4F00-5000-33006F005800} 0030834bf67509153237ac832bc68649.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\CID 0030834bf67509153237ac832bc68649.exe -
NTFS ADS 3 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp:{6B003300-6A00-3100-3600-510068003300} 0030834bf67509153237ac832bc68649.exe File created C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300} taskhost .exe File opened for modification C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300} taskhost .exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exepid process 4272 0030834bf67509153237ac832bc68649.exe 4272 0030834bf67509153237ac832bc68649.exe 4424 taskhost .exe 4424 taskhost .exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription pid process Token: SeDebugPrivilege 4272 0030834bf67509153237ac832bc68649.exe Token: SeDebugPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe Token: 33 4424 taskhost .exe Token: SeIncBasePriorityPrivilege 4424 taskhost .exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0030834bf67509153237ac832bc68649.exetaskhost .exedescription pid process target process PID 4272 wrote to memory of 4424 4272 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 4272 wrote to memory of 4424 4272 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 4272 wrote to memory of 4424 4272 0030834bf67509153237ac832bc68649.exe taskhost .exe PID 4424 wrote to memory of 3524 4424 taskhost .exe netsh.exe PID 4424 wrote to memory of 3524 4424 taskhost .exe netsh.exe PID 4424 wrote to memory of 3524 4424 taskhost .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe"C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe"1⤵
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\taskhost .exe"C:\Users\Admin\AppData\Roaming\taskhost .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskhost .exe" "taskhost .exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Isolated Storage\{6B003300-6A00-3100-3600-510068003300}Filesize
344B
MD5b7dc3d4d2458b0ac328d4923926acf7c
SHA15502eecb50b242c473c77967ce897c30bd2b8d10
SHA2566ad38d320a4229d62ad4931ff0eede30714ba77d9f0d9e775c9477438ea7f584
SHA512228844c25aa3a485c0f24fd9f00b0e956b81b3bdf4bca0ed56993b6bb91dccd2f1cfe616c44d564459b2e13bc64d395809e977248ddb34e66452511a80b964d6
-
C:\Users\Admin\AppData\Local\Temp\MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
351KB
MD50030834bf67509153237ac832bc68649
SHA11e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA5129a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
-
C:\Users\Admin\AppData\Roaming\taskhost .exeFilesize
351KB
MD50030834bf67509153237ac832bc68649
SHA11e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA5129a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d
-
memory/3524-144-0x0000000000000000-mapping.dmp
-
memory/4272-135-0x0000000006140000-0x00000000066E4000-memory.dmpFilesize
5.6MB
-
memory/4272-138-0x0000000005E80000-0x0000000005ED6000-memory.dmpFilesize
344KB
-
memory/4272-137-0x0000000005C70000-0x0000000005C7A000-memory.dmpFilesize
40KB
-
memory/4272-136-0x0000000005C90000-0x0000000005D22000-memory.dmpFilesize
584KB
-
memory/4272-132-0x00000000008C0000-0x000000000091E000-memory.dmpFilesize
376KB
-
memory/4272-134-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/4272-133-0x0000000005290000-0x000000000532C000-memory.dmpFilesize
624KB
-
memory/4424-139-0x0000000000000000-mapping.dmp