8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70

General

Target

8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Size

203KB
MD5

6b3358be20fd33a50824a5ec91212879
SHA1

f384bf2e2f1c2a5ef5aad9b127483a75d4519a6b
SHA256

8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70
SHA512

12d9854b8c890797d17284bd289b29a97838eb0e927f60c109eb9d89aa70c2698b96ba16cb556556b4043023c1ff15e96d0b960779ff64f16265054d935f0113
SSDEEP

6144:E64DnLGwnvAlQKs8BbP2BfGP7SF9AuTCSh9Ewjw:TeFv0QK5P2BfGeX7Xrjw

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ss.exe379.exesvchost.exe

pid process

1192 ss.exe
2020 379.exe
2772 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2260 netsh.exe

pid	process
1192	ss.exe
2020	379.exe
2772	svchost.exe

pid	process
2260	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe379.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	379.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

svchost.exe

pid	process
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2772 svchost.exe

description	pid	process
Token: SeDebugPrivilege	2772	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exess.exe379.exesvchost.exe

description	pid	process	target process
PID 4500 wrote to memory of 1192	4500	8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe	ss.exe
PID 4500 wrote to memory of 1192	4500	8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe	ss.exe
PID 1192 wrote to memory of 2020	1192	ss.exe	379.exe
PID 1192 wrote to memory of 2020	1192	ss.exe	379.exe
PID 1192 wrote to memory of 2020	1192	ss.exe	379.exe
PID 2020 wrote to memory of 2772	2020	379.exe	svchost.exe
PID 2020 wrote to memory of 2772	2020	379.exe	svchost.exe
PID 2020 wrote to memory of 2772	2020	379.exe	svchost.exe
PID 2772 wrote to memory of 2260	2772	svchost.exe	netsh.exe
PID 2772 wrote to memory of 2260	2772	svchost.exe	netsh.exe
PID 2772 wrote to memory of 2260	2772	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
"C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\379.exe
C:\Users\Admin\AppData\Local\Temp\379.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\379.exe
Filesize
56KB

MD5
3242d5de505f25484b1809a9ee87d0dd

SHA1
39e363e493a338359afb83f04168821950862043

SHA256
15eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c

SHA512
34e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785

Download Submit
C:\Users\Admin\AppData\Local\Temp\379.exe
Filesize
56KB

MD5
3242d5de505f25484b1809a9ee87d0dd

SHA1
39e363e493a338359afb83f04168821950862043

SHA256
15eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c

SHA512
34e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss.exe
Filesize
193KB

MD5
23963d66fb8c79bb409e826ff473bb74

SHA1
8e42a270d251af191c267312143b23c5956fd910

SHA256
9aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03

SHA512
b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss.exe
Filesize
193KB

MD5
23963d66fb8c79bb409e826ff473bb74

SHA1
8e42a270d251af191c267312143b23c5956fd910

SHA256
9aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03

SHA512
b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
56KB

MD5
3242d5de505f25484b1809a9ee87d0dd

SHA1
39e363e493a338359afb83f04168821950862043

SHA256
15eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c

SHA512
34e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
56KB

MD5
3242d5de505f25484b1809a9ee87d0dd

SHA1
39e363e493a338359afb83f04168821950862043

SHA256
15eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c

SHA512
34e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785

Download Submit
memory/1192-132-0x0000000000000000-mapping.dmp

Download
memory/2020-135-0x0000000000000000-mapping.dmp

Download
memory/2020-138-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-142-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-143-0x0000000000000000-mapping.dmp

Download
memory/2772-139-0x0000000000000000-mapping.dmp

Download
memory/2772-144-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2772-145-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads