Analysis
-
max time kernel
152s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/10/2022, 15:31
General
-
Target
dab27d0b2235f29d526d4b12ba3c45141e944b621dec0da18fca9ad9475a2e7d.exe
-
Size
44KB
-
MD5
e9d903adcf464c84e848dfd99b91b42d
-
SHA1
4752766f41027a781ecc0c1269561a092aab4962
-
SHA256
dab27d0b2235f29d526d4b12ba3c45141e944b621dec0da18fca9ad9475a2e7d
-
SHA512
c7e8704ee3f91b54c07a6475ac72ccb67fd5cd3b493b874ad25bbfac11cfd52ab198f96838c1a8c52b0b25160928b5375f8be1569b228d50929e13acb495a9ba
-
SSDEEP
768:UhwP3FyDD3jNBc6oMNcm1V6QGduH4jzokETPcbsvwnol9D88888888888JXT:0wP1yDDzzc6oMN31kUH4j8kETaVoIT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab27d0b2235f29d526d4b12ba3c45141e944b621dec0da18fca9ad9475a2e7d.exe"C:\Users\Admin\AppData\Local\Temp\dab27d0b2235f29d526d4b12ba3c45141e944b621dec0da18fca9ad9475a2e7d.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dab27d0b2235f29d526d4b12ba3c45141e944b621dec0da18fca9ad9475a2e7d.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5df739646bf7698d041214bee6814952e
SHA1291e1ca7c5ed6776876155267f4ab05f7989565c
SHA256f6485f2fdd70a11fc89b476fa300c69f41c9f5220bf1c2845088261ad3048a03
SHA5123dbdf66eedd86617af08bca2c755397d02b9ae31128f68becd816d2546c718033c9d206f8d76a90887e32963ad04a1816d369ea2730831b7f1abf9ad123270b7
-
Filesize
44KB
MD5df739646bf7698d041214bee6814952e
SHA1291e1ca7c5ed6776876155267f4ab05f7989565c
SHA256f6485f2fdd70a11fc89b476fa300c69f41c9f5220bf1c2845088261ad3048a03
SHA5123dbdf66eedd86617af08bca2c755397d02b9ae31128f68becd816d2546c718033c9d206f8d76a90887e32963ad04a1816d369ea2730831b7f1abf9ad123270b7
-
Filesize
44KB
MD5df739646bf7698d041214bee6814952e
SHA1291e1ca7c5ed6776876155267f4ab05f7989565c
SHA256f6485f2fdd70a11fc89b476fa300c69f41c9f5220bf1c2845088261ad3048a03
SHA5123dbdf66eedd86617af08bca2c755397d02b9ae31128f68becd816d2546c718033c9d206f8d76a90887e32963ad04a1816d369ea2730831b7f1abf9ad123270b7
-
Filesize
44KB
MD5df739646bf7698d041214bee6814952e
SHA1291e1ca7c5ed6776876155267f4ab05f7989565c
SHA256f6485f2fdd70a11fc89b476fa300c69f41c9f5220bf1c2845088261ad3048a03
SHA5123dbdf66eedd86617af08bca2c755397d02b9ae31128f68becd816d2546c718033c9d206f8d76a90887e32963ad04a1816d369ea2730831b7f1abf9ad123270b7
-
Filesize
44KB
MD5fce82902274d0056401b15890bac31ec
SHA1f084524128fb44f73b334a999ba998316f44a038
SHA256c75c8a2e5161b73f2132f8291224a7101de5678c56e806973d0e22b8b821c5ee
SHA51225bb78fd621afbec0c2118952cbeddf5ffa3a3661813bbc9f61aaddd338fe0a89c58e01c9b426635537b8bdfdfad59ea9c76cea06bcc5f3edcbcca7b38fb9714
-
Filesize
44KB
MD5fce82902274d0056401b15890bac31ec
SHA1f084524128fb44f73b334a999ba998316f44a038
SHA256c75c8a2e5161b73f2132f8291224a7101de5678c56e806973d0e22b8b821c5ee
SHA51225bb78fd621afbec0c2118952cbeddf5ffa3a3661813bbc9f61aaddd338fe0a89c58e01c9b426635537b8bdfdfad59ea9c76cea06bcc5f3edcbcca7b38fb9714
-
Filesize
44KB
MD5fce82902274d0056401b15890bac31ec
SHA1f084524128fb44f73b334a999ba998316f44a038
SHA256c75c8a2e5161b73f2132f8291224a7101de5678c56e806973d0e22b8b821c5ee
SHA51225bb78fd621afbec0c2118952cbeddf5ffa3a3661813bbc9f61aaddd338fe0a89c58e01c9b426635537b8bdfdfad59ea9c76cea06bcc5f3edcbcca7b38fb9714
-
Filesize
44KB
MD5fce82902274d0056401b15890bac31ec
SHA1f084524128fb44f73b334a999ba998316f44a038
SHA256c75c8a2e5161b73f2132f8291224a7101de5678c56e806973d0e22b8b821c5ee
SHA51225bb78fd621afbec0c2118952cbeddf5ffa3a3661813bbc9f61aaddd338fe0a89c58e01c9b426635537b8bdfdfad59ea9c76cea06bcc5f3edcbcca7b38fb9714
-
Filesize
44KB
MD58dd78b96a5c35d100428d492dec842e9
SHA135937fcf89f12147c4f7f2f02e24e27f1d880ea3
SHA25607f7eb1f3c5d4f1b8b56604d348bcdec87348c0f1c6815d6115ad284dffff50f
SHA512809dc944411b34c953d2499a99b299b15b2d6c69b094986287195925a66fa9171594bf619dc49c8a0af0c91c6ed4e4234dfd0c1d2822cc85afd18cd82014add2
-
Filesize
44KB
MD58dd78b96a5c35d100428d492dec842e9
SHA135937fcf89f12147c4f7f2f02e24e27f1d880ea3
SHA25607f7eb1f3c5d4f1b8b56604d348bcdec87348c0f1c6815d6115ad284dffff50f
SHA512809dc944411b34c953d2499a99b299b15b2d6c69b094986287195925a66fa9171594bf619dc49c8a0af0c91c6ed4e4234dfd0c1d2822cc85afd18cd82014add2
-
Filesize
44KB
MD58dd78b96a5c35d100428d492dec842e9
SHA135937fcf89f12147c4f7f2f02e24e27f1d880ea3
SHA25607f7eb1f3c5d4f1b8b56604d348bcdec87348c0f1c6815d6115ad284dffff50f
SHA512809dc944411b34c953d2499a99b299b15b2d6c69b094986287195925a66fa9171594bf619dc49c8a0af0c91c6ed4e4234dfd0c1d2822cc85afd18cd82014add2
-
Filesize
44KB
MD58dd78b96a5c35d100428d492dec842e9
SHA135937fcf89f12147c4f7f2f02e24e27f1d880ea3
SHA25607f7eb1f3c5d4f1b8b56604d348bcdec87348c0f1c6815d6115ad284dffff50f
SHA512809dc944411b34c953d2499a99b299b15b2d6c69b094986287195925a66fa9171594bf619dc49c8a0af0c91c6ed4e4234dfd0c1d2822cc85afd18cd82014add2
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
44KB
MD5df739646bf7698d041214bee6814952e
SHA1291e1ca7c5ed6776876155267f4ab05f7989565c
SHA256f6485f2fdd70a11fc89b476fa300c69f41c9f5220bf1c2845088261ad3048a03
SHA5123dbdf66eedd86617af08bca2c755397d02b9ae31128f68becd816d2546c718033c9d206f8d76a90887e32963ad04a1816d369ea2730831b7f1abf9ad123270b7
-
Filesize
44KB
MD5fce82902274d0056401b15890bac31ec
SHA1f084524128fb44f73b334a999ba998316f44a038
SHA256c75c8a2e5161b73f2132f8291224a7101de5678c56e806973d0e22b8b821c5ee
SHA51225bb78fd621afbec0c2118952cbeddf5ffa3a3661813bbc9f61aaddd338fe0a89c58e01c9b426635537b8bdfdfad59ea9c76cea06bcc5f3edcbcca7b38fb9714
-
Filesize
44KB
MD58dd78b96a5c35d100428d492dec842e9
SHA135937fcf89f12147c4f7f2f02e24e27f1d880ea3
SHA25607f7eb1f3c5d4f1b8b56604d348bcdec87348c0f1c6815d6115ad284dffff50f
SHA512809dc944411b34c953d2499a99b299b15b2d6c69b094986287195925a66fa9171594bf619dc49c8a0af0c91c6ed4e4234dfd0c1d2822cc85afd18cd82014add2
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB