Analysis
-
max time kernel
173s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 03:15
Behavioral task
behavioral1
Sample
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
Resource
win10v2004-20220812-en
General
-
Target
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe
-
Size
203KB
-
MD5
6b3358be20fd33a50824a5ec91212879
-
SHA1
f384bf2e2f1c2a5ef5aad9b127483a75d4519a6b
-
SHA256
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70
-
SHA512
12d9854b8c890797d17284bd289b29a97838eb0e927f60c109eb9d89aa70c2698b96ba16cb556556b4043023c1ff15e96d0b960779ff64f16265054d935f0113
-
SSDEEP
6144:E64DnLGwnvAlQKs8BbP2BfGP7SF9AuTCSh9Ewjw:TeFv0QK5P2BfGeX7Xrjw
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ss.exe379.exesvchost.exepid process 1192 ss.exe 2020 379.exe 2772 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe379.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 379.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
svchost.exepid process 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2772 svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exess.exe379.exesvchost.exedescription pid process target process PID 4500 wrote to memory of 1192 4500 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 4500 wrote to memory of 1192 4500 8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe ss.exe PID 1192 wrote to memory of 2020 1192 ss.exe 379.exe PID 1192 wrote to memory of 2020 1192 ss.exe 379.exe PID 1192 wrote to memory of 2020 1192 ss.exe 379.exe PID 2020 wrote to memory of 2772 2020 379.exe svchost.exe PID 2020 wrote to memory of 2772 2020 379.exe svchost.exe PID 2020 wrote to memory of 2772 2020 379.exe svchost.exe PID 2772 wrote to memory of 2260 2772 svchost.exe netsh.exe PID 2772 wrote to memory of 2260 2772 svchost.exe netsh.exe PID 2772 wrote to memory of 2260 2772 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe"C:\Users\Admin\AppData\Local\Temp\8d63e6f9a0eef5a31e2518a8028af0c9e0d518b5c5493eeed6b673534b537f70.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ss.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\379.exeC:\Users\Admin\AppData\Local\Temp\379.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\379.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\379.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
C:\Users\Admin\AppData\Local\Temp\ss.exeFilesize
193KB
MD523963d66fb8c79bb409e826ff473bb74
SHA18e42a270d251af191c267312143b23c5956fd910
SHA2569aed1caa06b45627f6d503197b9082f5a3f244b8b507b7faa7e647a90be64b03
SHA512b36fd10aa70bd1d3f0f5c819b2f2667c7b2259c96d74f84a6717d668ce5c55838cd9b180bf1d3cbe49ac7385473072933188926660daf7e6526c7c0d96e60779
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
56KB
MD53242d5de505f25484b1809a9ee87d0dd
SHA139e363e493a338359afb83f04168821950862043
SHA25615eade85673e69785dad65bef8545c80b70d23d68740386e9545ba8f1bea742c
SHA51234e12aad92cd835386a1c8fca25da5747fca4833a7507a9255e8433af24eed64348d383791754d4946cfa5ef64c03a70d1dd2c5a203e5d6b101f01e3f2c4b785
-
memory/1192-132-0x0000000000000000-mapping.dmp
-
memory/2020-135-0x0000000000000000-mapping.dmp
-
memory/2020-138-0x0000000075340000-0x00000000758F1000-memory.dmpFilesize
5.7MB
-
memory/2020-142-0x0000000075340000-0x00000000758F1000-memory.dmpFilesize
5.7MB
-
memory/2260-143-0x0000000000000000-mapping.dmp
-
memory/2772-139-0x0000000000000000-mapping.dmp
-
memory/2772-144-0x0000000075340000-0x00000000758F1000-memory.dmpFilesize
5.7MB
-
memory/2772-145-0x0000000075340000-0x00000000758F1000-memory.dmpFilesize
5.7MB