Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe
Resource
win10v2004-20220901-en
General
-
Target
2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe
-
Size
128KB
-
MD5
818166345aeb89e16904e31e445c0c00
-
SHA1
3908382bf4a3d8c633e290dc2f0285a6ecd1e4ac
-
SHA256
2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d
-
SHA512
e9c1d3c34f67fdc78e0b05a5c6055f129a4596e82b3458388460551c17fa22b3e0f29206fc6942e801fa64965bf92c3693cc4e11e45fe4ecb2667b967b3a5864
-
SSDEEP
3072:V3+UIA8UwopDBqhElSksQ9na/tK88sWKLDC6xyFEPFhH:0ksQRa/8vxK3C6xgEPFhH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1472 suchost..exe 2176 svchost..exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1472 suchost..exe 1472 suchost..exe 1472 suchost..exe 1472 suchost..exe 1472 suchost..exe 2176 svchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 1472 suchost..exe 2176 svchost..exe 2176 svchost..exe 1472 suchost..exe 1472 suchost..exe 2176 svchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe 2176 svchost..exe 1472 suchost..exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1472 suchost..exe Token: SeDebugPrivilege 2176 svchost..exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3140 wrote to memory of 1472 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 83 PID 3140 wrote to memory of 1472 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 83 PID 3140 wrote to memory of 1472 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 83 PID 3140 wrote to memory of 2176 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 84 PID 3140 wrote to memory of 2176 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 84 PID 3140 wrote to memory of 2176 3140 2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe"C:\Users\Admin\AppData\Local\Temp\2d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\Documents\suchost..exe"C:\Users\Admin\Documents\suchost..exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5818166345aeb89e16904e31e445c0c00
SHA13908382bf4a3d8c633e290dc2f0285a6ecd1e4ac
SHA2562d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d
SHA512e9c1d3c34f67fdc78e0b05a5c6055f129a4596e82b3458388460551c17fa22b3e0f29206fc6942e801fa64965bf92c3693cc4e11e45fe4ecb2667b967b3a5864
-
Filesize
128KB
MD5818166345aeb89e16904e31e445c0c00
SHA13908382bf4a3d8c633e290dc2f0285a6ecd1e4ac
SHA2562d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d
SHA512e9c1d3c34f67fdc78e0b05a5c6055f129a4596e82b3458388460551c17fa22b3e0f29206fc6942e801fa64965bf92c3693cc4e11e45fe4ecb2667b967b3a5864
-
Filesize
128KB
MD5818166345aeb89e16904e31e445c0c00
SHA13908382bf4a3d8c633e290dc2f0285a6ecd1e4ac
SHA2562d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d
SHA512e9c1d3c34f67fdc78e0b05a5c6055f129a4596e82b3458388460551c17fa22b3e0f29206fc6942e801fa64965bf92c3693cc4e11e45fe4ecb2667b967b3a5864
-
Filesize
128KB
MD5818166345aeb89e16904e31e445c0c00
SHA13908382bf4a3d8c633e290dc2f0285a6ecd1e4ac
SHA2562d2e485a32883c22fc2347a79179238f524e15b45a1ff51740e849597d04569d
SHA512e9c1d3c34f67fdc78e0b05a5c6055f129a4596e82b3458388460551c17fa22b3e0f29206fc6942e801fa64965bf92c3693cc4e11e45fe4ecb2667b967b3a5864