Analysis
-
max time kernel
121s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe
Resource
win10v2004-20220812-en
General
-
Target
4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe
-
Size
877KB
-
MD5
6c5e25c0a06418934f60915e654ecac0
-
SHA1
11d53cc056e56aba2e58ae16d4791b318897301a
-
SHA256
4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02
-
SHA512
c7767503d42c2dab4d1a0ba32df8f81c8116c9ea641277c0964474898e508dbcfb4eeb657efbb320e002a53d9b87617dec7bd93304402a6b42072f7123277035
-
SSDEEP
12288:h1OgLdaOXuunhwyAcnpDcorrLWweor+SVhZJy5rzELMMzUDX3WsN1eotA:h1OYdaO+uRx+oz5HVhuzAVoLHXtA
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 864 uwcSt.exe 4208 setup.exe 2328 setup.tmp 4444 consoleguard.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 232 netsh.exe 1256 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation uwcSt.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation consoleguard.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\consoleguard setup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\consoleguard = "C:\\Program Files (x86)\\consoleguard\\consoleguard.exe" consoleguard.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\consoleguard\is-KQ4L4.tmp setup.tmp File opened for modification C:\Program Files (x86)\consoleguard\unins000.dat setup.tmp File opened for modification C:\Program Files (x86)\consoleguard\consoleguard.exe setup.tmp File created C:\Program Files (x86)\consoleguard\unins000.dat setup.tmp File created C:\Program Files (x86)\consoleguard\is-U0KFQ.tmp setup.tmp File created C:\Program Files (x86)\consoleguard\is-B2SS0.tmp setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 3792 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2328 setup.tmp 2328 setup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3792 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2328 setup.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2580 wrote to memory of 864 2580 4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe 83 PID 2580 wrote to memory of 864 2580 4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe 83 PID 2580 wrote to memory of 864 2580 4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe 83 PID 864 wrote to memory of 4208 864 uwcSt.exe 84 PID 864 wrote to memory of 4208 864 uwcSt.exe 84 PID 864 wrote to memory of 4208 864 uwcSt.exe 84 PID 4208 wrote to memory of 2328 4208 setup.exe 86 PID 4208 wrote to memory of 2328 4208 setup.exe 86 PID 4208 wrote to memory of 2328 4208 setup.exe 86 PID 2328 wrote to memory of 232 2328 setup.tmp 87 PID 2328 wrote to memory of 232 2328 setup.tmp 87 PID 2328 wrote to memory of 232 2328 setup.tmp 87 PID 2328 wrote to memory of 1256 2328 setup.tmp 89 PID 2328 wrote to memory of 1256 2328 setup.tmp 89 PID 2328 wrote to memory of 1256 2328 setup.tmp 89 PID 2328 wrote to memory of 4444 2328 setup.tmp 91 PID 2328 wrote to memory of 4444 2328 setup.tmp 91 PID 2328 wrote to memory of 4444 2328 setup.tmp 91 PID 4444 wrote to memory of 3792 4444 consoleguard.exe 92 PID 4444 wrote to memory of 3792 4444 consoleguard.exe 92 PID 4444 wrote to memory of 3792 4444 consoleguard.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe"C:\Users\Admin\AppData\Local\Temp\4f4fcb2ba4ec57969a0dd7be28b13d8a1041878530bdcf546770db1353fffe02.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\7zSB57A.tmp\uwcSt.exe.\uwcSt.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\7zSB57A.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSB57A.tmp\setup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\is-66C6K.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-66C6K.tmp\setup.tmp" /SL5="$A01C8,249944,119296,C:\Users\Admin\AppData\Local\Temp\7zSB57A.tmp\setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" firewall add allowedprogram program="C:\Program Files (x86)\consoleguard\consoleguard.exe" name="consoleguard" ENABLE ALL5⤵
- Modifies Windows Firewall
PID:232
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=[in|out] program="C:\Program Files (x86)\consoleguard\consoleguard.exe" name="consoleguard" ENABLE ALL5⤵
- Modifies Windows Firewall
PID:1256
-
-
C:\Program Files (x86)\consoleguard\consoleguard.exe"C:\Program Files (x86)\consoleguard\consoleguard.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /T /IM chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD5b2e3f929a5cb350908fd06f086e90bff
SHA19aa17bff2283d468fd6fb2a750ba69dee8359fda
SHA256dfac458ea3008cde2392072040697964f76483918d4074d75b2275f25b7aa600
SHA51253952912b60e6a88a6823a281d3487ac5caeac4a04c699f83085a42db53840f2edfc08de3bd7c97210124594b7f8a4ebc967500a90b458f4d26ed2c60ae83ca9
-
Filesize
319KB
MD5b2e3f929a5cb350908fd06f086e90bff
SHA19aa17bff2283d468fd6fb2a750ba69dee8359fda
SHA256dfac458ea3008cde2392072040697964f76483918d4074d75b2275f25b7aa600
SHA51253952912b60e6a88a6823a281d3487ac5caeac4a04c699f83085a42db53840f2edfc08de3bd7c97210124594b7f8a4ebc967500a90b458f4d26ed2c60ae83ca9
-
Filesize
2KB
MD54d2b7814511501504efbc25a4a135e82
SHA1a1b894c8538e0b0f91d57566a71874adcb928e6e
SHA25660c5b34d51a78dfc6d47c67702b4b21d9a31be6392558dd655967424c022c706
SHA5123c666f0e6ecbe4ac750e9f85aafa1c878eb51d73e8a1c77ba249136229b8debfb7ba54cf7b023554d95ce41e6bb764be94288381e5ad1c99ac9b012bdbd08a7b
-
Filesize
2KB
MD54d2b7814511501504efbc25a4a135e82
SHA1a1b894c8538e0b0f91d57566a71874adcb928e6e
SHA25660c5b34d51a78dfc6d47c67702b4b21d9a31be6392558dd655967424c022c706
SHA5123c666f0e6ecbe4ac750e9f85aafa1c878eb51d73e8a1c77ba249136229b8debfb7ba54cf7b023554d95ce41e6bb764be94288381e5ad1c99ac9b012bdbd08a7b
-
Filesize
617KB
MD599e68acb7166064eea3a4ca1ce75fe9e
SHA11b62597bba2f21e7000cb5064531f2e193f51e2b
SHA2560f844c06f4d8cf18534491856b4c0fdf3e2e71ef510d0e9f2f04a0944a57e0a6
SHA512c3278007d6dee8aecf320a515dfb39b2a3afdb231c5f8e6c96fb1217df0e67ace5f0fe774e88ff9b4753ef62d1ed4a490e7be0861cb22604e6be16740aab27c6
-
Filesize
617KB
MD599e68acb7166064eea3a4ca1ce75fe9e
SHA11b62597bba2f21e7000cb5064531f2e193f51e2b
SHA2560f844c06f4d8cf18534491856b4c0fdf3e2e71ef510d0e9f2f04a0944a57e0a6
SHA512c3278007d6dee8aecf320a515dfb39b2a3afdb231c5f8e6c96fb1217df0e67ace5f0fe774e88ff9b4753ef62d1ed4a490e7be0861cb22604e6be16740aab27c6
-
Filesize
736KB
MD5438ba275da9f74a5674206741cc9e412
SHA1687845e36c0b914b8acda5229b88ce882fcae2db
SHA256eada710a74778f6cba03b9c4cf3a3be0278724137e60e556c124c48d3187f384
SHA51256d82e796e256f8d1b34bc790e048a770f9265b0d1fcd4d63d5e06d727266b949d9710fffcf14ea2c460e74c1ac4411537d52e670585e4580b25249c3170fbf9
-
Filesize
736KB
MD5438ba275da9f74a5674206741cc9e412
SHA1687845e36c0b914b8acda5229b88ce882fcae2db
SHA256eada710a74778f6cba03b9c4cf3a3be0278724137e60e556c124c48d3187f384
SHA51256d82e796e256f8d1b34bc790e048a770f9265b0d1fcd4d63d5e06d727266b949d9710fffcf14ea2c460e74c1ac4411537d52e670585e4580b25249c3170fbf9
-
Filesize
1.1MB
MD5e4a2856522e6a817e3f0edd2677fa647
SHA17cffea7ad238e4d2a64238139ab64802dbaf1185
SHA256e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e
SHA51225df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964
-
Filesize
1.1MB
MD5e4a2856522e6a817e3f0edd2677fa647
SHA17cffea7ad238e4d2a64238139ab64802dbaf1185
SHA256e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e
SHA51225df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964