75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe

Analysis

max time kernel
151s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe
Size

372KB
MD5

5d98b75e06c6fd4548fb6b7af9857253
SHA1

76ec05da6415258a9ebbd044bd4777e95e14048f
SHA256

75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe
SHA512

5aeb3e2addfa348d135025476916588c2bb0c27da574b0e747d72b1c64856e5ddb4553ebc00657f7e7179ca040ec65a0047da0f5a9df0e91be1cfc77b985e646
SSDEEP

6144:XRocyImitfdlBiJ/F60r+Sbg8DR+QZvn6utoxpIlcObgrG1OnR7wicyAnnVv:WcyqtuYCVbVRZqklcOUraOHUv

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\svchost.exe	Dos.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	Dos.exe

Executes dropped EXE 3 IoCs

pid	Process
4312	DoS-Pro.exe
2084	Dos.exe
4396	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\sLT.exf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4312	1688	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe	79
PID 1688 wrote to memory of 4312	1688	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe	79
PID 1688 wrote to memory of 2084	1688	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe	80
PID 1688 wrote to memory of 2084	1688	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe	80
PID 1688 wrote to memory of 2084	1688	75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe	80

C:\Users\Admin\AppData\Local\Temp\75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe
"C:\Users\Admin\AppData\Local\Temp\75748f496ba145ded37c4c4a0c5d022e5e6065413d7f5a604e80065f0eb3b0fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\DoS-Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\DoS-Pro.exe"
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Users\Admin\AppData\Local\Temp\Dos.exe
  "C:\Users\Admin\AppData\Local\Temp\Dos.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2084

C:\Windows\SysWOW64\drivers\svchost.exe
C:\Windows\SysWOW64\drivers\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DoS-Pro.exe

Filesize
101KB

MD5
09ef035f6a90e3e0b524ee6c6d101b70

SHA1
411cda05a5678dfde00f6d62a8ec0c984b6e512e

SHA256
8b2808a304426dba24e3e1e2be831ba1de900e66341309170cdc30a1eeaaa410

SHA512
c4d6ae9e2a54607c5df2b0000ad8b1c8570f39179352aa90b13308c3e24079b86c90901b0cb81f157ef490e3c52ace5944f7a826795aebd58a74a0d086ada9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoS-Pro.exe

Filesize
101KB

MD5
09ef035f6a90e3e0b524ee6c6d101b70

SHA1
411cda05a5678dfde00f6d62a8ec0c984b6e512e

SHA256
8b2808a304426dba24e3e1e2be831ba1de900e66341309170cdc30a1eeaaa410

SHA512
c4d6ae9e2a54607c5df2b0000ad8b1c8570f39179352aa90b13308c3e24079b86c90901b0cb81f157ef490e3c52ace5944f7a826795aebd58a74a0d086ada9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dos.exe

Filesize
190KB

MD5
b78cb28c3b86d99188b4bb4d1d659ebe

SHA1
de80076d87caf02c57bcb165a700c32c97e19e3c

SHA256
e85d5df4c9a3d67be29d86b2dc5d423432cc6ba51692cfc2e0b6e2bb915ed88a

SHA512
7a4fb5e9442d03a4191c7c20be40b7de01b82efe562a1dff5285c53f0cbf2ecb83f93a674668c7e50d4fe9b405f7f678f70279ff98f1f9c64fec323a5bd5bdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dos.exe

Filesize
190KB

MD5
b78cb28c3b86d99188b4bb4d1d659ebe

SHA1
de80076d87caf02c57bcb165a700c32c97e19e3c

SHA256
e85d5df4c9a3d67be29d86b2dc5d423432cc6ba51692cfc2e0b6e2bb915ed88a

SHA512
7a4fb5e9442d03a4191c7c20be40b7de01b82efe562a1dff5285c53f0cbf2ecb83f93a674668c7e50d4fe9b405f7f678f70279ff98f1f9c64fec323a5bd5bdb5

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
190KB

MD5
b78cb28c3b86d99188b4bb4d1d659ebe

SHA1
de80076d87caf02c57bcb165a700c32c97e19e3c

SHA256
e85d5df4c9a3d67be29d86b2dc5d423432cc6ba51692cfc2e0b6e2bb915ed88a

SHA512
7a4fb5e9442d03a4191c7c20be40b7de01b82efe562a1dff5285c53f0cbf2ecb83f93a674668c7e50d4fe9b405f7f678f70279ff98f1f9c64fec323a5bd5bdb5

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
190KB

MD5
b78cb28c3b86d99188b4bb4d1d659ebe

SHA1
de80076d87caf02c57bcb165a700c32c97e19e3c

SHA256
e85d5df4c9a3d67be29d86b2dc5d423432cc6ba51692cfc2e0b6e2bb915ed88a

SHA512
7a4fb5e9442d03a4191c7c20be40b7de01b82efe562a1dff5285c53f0cbf2ecb83f93a674668c7e50d4fe9b405f7f678f70279ff98f1f9c64fec323a5bd5bdb5

Download Submit
memory/4312-140-0x00007FFB914B0000-0x00007FFB91EE6000-memory.dmp

Filesize
10.2MB

Download