c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b

Analysis

max time kernel
158s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe
Size

185KB
MD5

723ee30aaf9142c03fd9a6e83b6c0220
SHA1

ae70b4bb8c555b263fa037a19661523c105cd2e4
SHA256

c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b
SHA512

156fa60452b4e264c3cb717870e216aeb37df96c1a44ac88b4f9dce9d9954ec4a679baa7e06475a54388df8ea2dfff18538b70b88818e4f64ff6794d8a8b771f
SSDEEP

3072:CBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ik+0b0UCCV:CK5ArKjbAxXSaegUqGeGpBohMp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4768	choikill.exe
4336	disksult.exe
616	~D1DB.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\curlntui = "C:\\Users\\Admin\\AppData\\Roaming\\Launroxy\\choikill.exe"	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\disksult.exe	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2988	WINWORD.EXE
2988	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	choikill.exe
4768	choikill.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE
4336	disksult.exe
4336	disksult.exe
2736	Explorer.EXE
2736	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE
Token: SeShutdownPrivilege	2736	Explorer.EXE
Token: SeCreatePagefilePrivilege	2736	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2988	WINWORD.EXE
2736	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4768	5036	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe	83
PID 5036 wrote to memory of 4768	5036	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe	83
PID 5036 wrote to memory of 4768	5036	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe	83
PID 4768 wrote to memory of 616	4768	choikill.exe	84
PID 4768 wrote to memory of 616	4768	choikill.exe	84
PID 616 wrote to memory of 2736	616	~D1DB.tmp	46
PID 5036 wrote to memory of 2988	5036	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe	86
PID 5036 wrote to memory of 2988	5036	c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2736
- C:\Users\Admin\AppData\Local\Temp\c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe
  "C:\Users\Admin\AppData\Local\Temp\c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Roaming\Launroxy\choikill.exe
    "C:\Users\Admin\AppData\Roaming\Launroxy\choikill.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\~D1DB.tmp
      "C:\Users\Admin\AppData\Local\Temp\~D1DB.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:616
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~D258.tmp.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2988

C:\Windows\SysWOW64\disksult.exe
C:\Windows\SysWOW64\disksult.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~D1DB.tmp

Filesize
6KB

MD5
2aedf39086c6584e830f4efd638ceff4

SHA1
0e14b2d4a14f696ffca5d4990acfd1ef0676d3e5

SHA256
aa6e7acd53f3d70cc3afc015d5bc56cdbfdaea3265adc3e8cc4e4d429cfe4a4f

SHA512
ca16a3667e8a89fa2add9259b5b3a44dcfe10a6d3b08ff7280b50ba858744a1b5c727577247d03be402d5e6e507f67eaa900b896aebb93cf0fd14684c13e234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D1DB.tmp

Filesize
6KB

MD5
2aedf39086c6584e830f4efd638ceff4

SHA1
0e14b2d4a14f696ffca5d4990acfd1ef0676d3e5

SHA256
aa6e7acd53f3d70cc3afc015d5bc56cdbfdaea3265adc3e8cc4e4d429cfe4a4f

SHA512
ca16a3667e8a89fa2add9259b5b3a44dcfe10a6d3b08ff7280b50ba858744a1b5c727577247d03be402d5e6e507f67eaa900b896aebb93cf0fd14684c13e234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D258.tmp.docx

Filesize
11KB

MD5
0686a58a9b9b4fcb25574ef458d3e874

SHA1
96f2d62923ae45ddf49abe9a382d737d474d142d

SHA256
36c52a4963e38a18b76774277d1403148c4db026653e84ab7ccbd6b45192a89a

SHA512
ebdf077662b0d150ed256709fd3cf9e58a2a501b844afa113d7f4f00031c1843ad119a521cb95d5066422c3a57ac568792af39843f34a05137e9e5f7510d07fd

Download Submit
C:\Users\Admin\AppData\Roaming\Launroxy\choikill.exe

Filesize
172KB

MD5
82543e99aeda77430459c8bd8ff34a4e

SHA1
d601701cb457b92a5b0c537c979e9016c240bf22

SHA256
aaa09bdcc49e43c4d0c9ba4d788e36a65d3eba79fb79effe71b128cde71a4598

SHA512
bac656ad076cb58956610064482058c9d4dd320f9b8117774e662ed3208f2d992da9c7caf161ece73f504773ca93268383e1d4763bd269d0a977f4fd96f402ad

Download Submit
C:\Users\Admin\AppData\Roaming\Launroxy\choikill.exe

Filesize
172KB

MD5
82543e99aeda77430459c8bd8ff34a4e

SHA1
d601701cb457b92a5b0c537c979e9016c240bf22

SHA256
aaa09bdcc49e43c4d0c9ba4d788e36a65d3eba79fb79effe71b128cde71a4598

SHA512
bac656ad076cb58956610064482058c9d4dd320f9b8117774e662ed3208f2d992da9c7caf161ece73f504773ca93268383e1d4763bd269d0a977f4fd96f402ad

Download Submit
C:\Windows\SysWOW64\disksult.exe

Filesize
185KB

MD5
723ee30aaf9142c03fd9a6e83b6c0220

SHA1
ae70b4bb8c555b263fa037a19661523c105cd2e4

SHA256
c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b

SHA512
156fa60452b4e264c3cb717870e216aeb37df96c1a44ac88b4f9dce9d9954ec4a679baa7e06475a54388df8ea2dfff18538b70b88818e4f64ff6794d8a8b771f

Download Submit
C:\Windows\SysWOW64\disksult.exe

Filesize
185KB

MD5
723ee30aaf9142c03fd9a6e83b6c0220

SHA1
ae70b4bb8c555b263fa037a19661523c105cd2e4

SHA256
c0b1533f0ba3fd5dd5b7ddf63c61bd090dbd9cd3f9654b994a65b360d3781e7b

SHA512
156fa60452b4e264c3cb717870e216aeb37df96c1a44ac88b4f9dce9d9954ec4a679baa7e06475a54388df8ea2dfff18538b70b88818e4f64ff6794d8a8b771f

Download Submit
memory/2736-142-0x0000000002E40000-0x0000000002E81000-memory.dmp

Filesize
260KB

Download
memory/2988-144-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-148-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-156-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-145-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-146-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-147-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-154-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-149-0x00007FFBF8150000-0x00007FFBF8160000-memory.dmp

Filesize
64KB

Download
memory/2988-150-0x00007FFBF8150000-0x00007FFBF8160000-memory.dmp

Filesize
64KB

Download
memory/2988-155-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/2988-153-0x00007FFBFA950000-0x00007FFBFA960000-memory.dmp

Filesize
64KB

Download
memory/4336-141-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/5036-132-0x00000000007B0000-0x00000000007F1000-memory.dmp

Filesize
260KB

Download