Analysis
-
max time kernel
174s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 06:04
Behavioral task
behavioral1
Sample
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
Resource
win10v2004-20220812-en
General
-
Target
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe
-
Size
899KB
-
MD5
6da56cea43476a4f55d54df747649200
-
SHA1
e8f8474fc51e67bbd9eeee53675f9cee2063f2ae
-
SHA256
1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838
-
SHA512
ed1e6f874d613488c8f542b03f906bea8bf59c0353680cb9278e462b9ce858cf4dd86340843a32428e2e7523b8bc0930c4b1dfb0edd4485cb1aa60596a2a599d
-
SSDEEP
24576:VTAmBpVKHu0Mu9Xo20VGLVP5TKIe5GiyseoV:VTAmKZVUGkrV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE -
Executes dropped EXE 2 IoCs
pid Process 1428 KKKKKKKKK.EXE 2280 csrss.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KKKKKKKKK.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\Users\\Admin\\AppData\\Roaming\\msdssvc\\csrss.exe" KKKKKKKKK.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4584 PING.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1428 KKKKKKKKK.EXE Token: SeSecurityPrivilege 1428 KKKKKKKKK.EXE Token: SeTakeOwnershipPrivilege 1428 KKKKKKKKK.EXE Token: SeLoadDriverPrivilege 1428 KKKKKKKKK.EXE Token: SeSystemProfilePrivilege 1428 KKKKKKKKK.EXE Token: SeSystemtimePrivilege 1428 KKKKKKKKK.EXE Token: SeProfSingleProcessPrivilege 1428 KKKKKKKKK.EXE Token: SeIncBasePriorityPrivilege 1428 KKKKKKKKK.EXE Token: SeCreatePagefilePrivilege 1428 KKKKKKKKK.EXE Token: SeBackupPrivilege 1428 KKKKKKKKK.EXE Token: SeRestorePrivilege 1428 KKKKKKKKK.EXE Token: SeShutdownPrivilege 1428 KKKKKKKKK.EXE Token: SeDebugPrivilege 1428 KKKKKKKKK.EXE Token: SeSystemEnvironmentPrivilege 1428 KKKKKKKKK.EXE Token: SeChangeNotifyPrivilege 1428 KKKKKKKKK.EXE Token: SeRemoteShutdownPrivilege 1428 KKKKKKKKK.EXE Token: SeUndockPrivilege 1428 KKKKKKKKK.EXE Token: SeManageVolumePrivilege 1428 KKKKKKKKK.EXE Token: SeImpersonatePrivilege 1428 KKKKKKKKK.EXE Token: SeCreateGlobalPrivilege 1428 KKKKKKKKK.EXE Token: 33 1428 KKKKKKKKK.EXE Token: 34 1428 KKKKKKKKK.EXE Token: 35 1428 KKKKKKKKK.EXE Token: 36 1428 KKKKKKKKK.EXE Token: SeIncreaseQuotaPrivilege 2280 csrss.exe Token: SeSecurityPrivilege 2280 csrss.exe Token: SeTakeOwnershipPrivilege 2280 csrss.exe Token: SeLoadDriverPrivilege 2280 csrss.exe Token: SeSystemProfilePrivilege 2280 csrss.exe Token: SeSystemtimePrivilege 2280 csrss.exe Token: SeProfSingleProcessPrivilege 2280 csrss.exe Token: SeIncBasePriorityPrivilege 2280 csrss.exe Token: SeCreatePagefilePrivilege 2280 csrss.exe Token: SeBackupPrivilege 2280 csrss.exe Token: SeRestorePrivilege 2280 csrss.exe Token: SeShutdownPrivilege 2280 csrss.exe Token: SeDebugPrivilege 2280 csrss.exe Token: SeSystemEnvironmentPrivilege 2280 csrss.exe Token: SeChangeNotifyPrivilege 2280 csrss.exe Token: SeRemoteShutdownPrivilege 2280 csrss.exe Token: SeUndockPrivilege 2280 csrss.exe Token: SeManageVolumePrivilege 2280 csrss.exe Token: SeImpersonatePrivilege 2280 csrss.exe Token: SeCreateGlobalPrivilege 2280 csrss.exe Token: 33 2280 csrss.exe Token: 34 2280 csrss.exe Token: 35 2280 csrss.exe Token: 36 2280 csrss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1428 4924 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 86 PID 4924 wrote to memory of 1428 4924 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 86 PID 4924 wrote to memory of 1428 4924 1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe 86 PID 1428 wrote to memory of 2280 1428 KKKKKKKKK.EXE 87 PID 1428 wrote to memory of 2280 1428 KKKKKKKKK.EXE 87 PID 1428 wrote to memory of 2280 1428 KKKKKKKKK.EXE 87 PID 1428 wrote to memory of 100 1428 KKKKKKKKK.EXE 88 PID 1428 wrote to memory of 100 1428 KKKKKKKKK.EXE 88 PID 1428 wrote to memory of 100 1428 KKKKKKKKK.EXE 88 PID 100 wrote to memory of 4584 100 cmd.exe 90 PID 100 wrote to memory of 4584 100 cmd.exe 90 PID 100 wrote to memory of 4584 100 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"C:\Users\Admin\AppData\Local\Temp\1c3ed473829c36e6f402cb68bd926a32ed485a05cc11e996cb168db637da4838.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"C:\Users\Admin\AppData\Roaming\msdssvc\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\KKKKKKKKK.EXE"3⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:4584
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c
-
Filesize
648KB
MD5f37b0bbe83404c4c0f7c4a35090b0a57
SHA1bc7ec454a13939dd37a9e0edf4e38d9202dc2e41
SHA25639552b0f89440188afb2afda77b2a9a0c26588d97cd2e70192f69106a2fccbe2
SHA512e8f73957c7c8c11cdcd81be5867b998018f15f38c97494d31d0ed14c86a25e33fe711a87602f9fee3a9224c7e651ee477f705d21f3e36fd9152a09dfa972b12c