3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1

Analysis

max time kernel
154s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe
Size

143KB
MD5

7c21b2efa040da4c407b6ea465281e80
SHA1

d5bc144bdb4df7e71d23a6264c63a100815d38a2
SHA256

3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1
SHA512

5b5c78129f36e4b21e2794253f4c08215eff5ba6cd2dbae88ae7339bf653c42f3e1543e68f5e72042396a640626bbea28bfbdb0cada358a7872db5b712d213eb
SSDEEP

3072:V3+UIA8UwopDBqhElSksQ9na/tK88sW3/eZft6:0ksQRa/8vxkft6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4760	suchost..exe
3588	svchost..exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	suchost..exe
4760	suchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
3588	svchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
3588	svchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe
3588	svchost..exe
3588	svchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
3588	svchost..exe
4760	suchost..exe
4760	suchost..exe
3588	svchost..exe
4760	suchost..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	suchost..exe
Token: SeDebugPrivilege	3588	svchost..exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4760	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	83
PID 2396 wrote to memory of 4760	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	83
PID 2396 wrote to memory of 4760	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	83
PID 2396 wrote to memory of 3588	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	84
PID 2396 wrote to memory of 3588	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	84
PID 2396 wrote to memory of 3588	2396	3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe	84

C:\Users\Admin\AppData\Local\Temp\3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe
"C:\Users\Admin\AppData\Local\Temp\3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\Documents\suchost..exe
  "C:\Users\Admin\Documents\suchost..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
143KB

MD5
7c21b2efa040da4c407b6ea465281e80

SHA1
d5bc144bdb4df7e71d23a6264c63a100815d38a2

SHA256
3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1

SHA512
5b5c78129f36e4b21e2794253f4c08215eff5ba6cd2dbae88ae7339bf653c42f3e1543e68f5e72042396a640626bbea28bfbdb0cada358a7872db5b712d213eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
143KB

MD5
7c21b2efa040da4c407b6ea465281e80

SHA1
d5bc144bdb4df7e71d23a6264c63a100815d38a2

SHA256
3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1

SHA512
5b5c78129f36e4b21e2794253f4c08215eff5ba6cd2dbae88ae7339bf653c42f3e1543e68f5e72042396a640626bbea28bfbdb0cada358a7872db5b712d213eb

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
143KB

MD5
7c21b2efa040da4c407b6ea465281e80

SHA1
d5bc144bdb4df7e71d23a6264c63a100815d38a2

SHA256
3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1

SHA512
5b5c78129f36e4b21e2794253f4c08215eff5ba6cd2dbae88ae7339bf653c42f3e1543e68f5e72042396a640626bbea28bfbdb0cada358a7872db5b712d213eb

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
143KB

MD5
7c21b2efa040da4c407b6ea465281e80

SHA1
d5bc144bdb4df7e71d23a6264c63a100815d38a2

SHA256
3112c9f31a19512091ba9c8cfb1e25e65083e9b55ddd047497e7804c1607dae1

SHA512
5b5c78129f36e4b21e2794253f4c08215eff5ba6cd2dbae88ae7339bf653c42f3e1543e68f5e72042396a640626bbea28bfbdb0cada358a7872db5b712d213eb

Download Submit
memory/2396-132-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2396-141-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-140-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-143-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-139-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-142-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download