53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
Size

212KB
MD5

07460cdabe3cded3f4589a72bf13deea
SHA1

560c7f3aba7f66cc33782c595a88586526bb8d60
SHA256

53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021
SHA512

72b245d5cc9150769196bbffb8067fd02d210f89775131a503ca716262bbfc59bf97d6c7e92070be34ca44503e2cf88f07ed3e1de0edbe49f84a9ea3587953f4
SSDEEP

6144:Xs8ZSfWInb7CRu4EjMvQYGayMsq5FK6ts/gS0:Xs8Zac0ayMskPbS0

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system\5.exe = "C:\\WINDOWS\\system\\5.exe:*:enabled:@shell32.dll,-1"	5.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	1.exe
3496	5.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e6e-134.dat	upx
behavioral2/files/0x0006000000022e6e-135.dat	upx
behavioral2/memory/5068-140-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System\1.exe	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
File opened for modification	C:\Windows\System\1.exe	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
File created	C:\Windows\System\6.exe	1.exe
File opened for modification	C:\Windows\System\6.exe	1.exe
File created	C:\Windows\System\5.exe	1.exe
File opened for modification	C:\Windows\System\5.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe
3496	5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 5068	912	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	81
PID 912 wrote to memory of 5068	912	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	81
PID 912 wrote to memory of 5068	912	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	81
PID 5068 wrote to memory of 3496	5068	1.exe	82
PID 5068 wrote to memory of 3496	5068	1.exe	82
PID 5068 wrote to memory of 3496	5068	1.exe	82
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 608	3496	5.exe	3
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 668	3496	5.exe	1
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 776	3496	5.exe	8
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 796	3496	5.exe	9
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 804	3496	5.exe	22
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 900	3496	5.exe	20
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 952	3496	5.exe	10
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 64	3496	5.exe	17
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 428	3496	5.exe	11
PID 3496 wrote to memory of 752	3496	5.exe	12
PID 3496 wrote to memory of 752	3496	5.exe	12
PID 3496 wrote to memory of 752	3496	5.exe	12
PID 3496 wrote to memory of 752	3496	5.exe	12

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3304
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3404
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3472
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3744
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4012
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4600
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3564
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2604
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1064
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1300

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1872

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2396

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2304

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
  "C:\Users\Admin\AppData\Local\Temp\53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\WINDOWS\system\1.exe
    "C:\WINDOWS\system\1.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\WINDOWS\system\5.exe
      "C:\WINDOWS\system\5.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
C:\WINDOWS\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
C:\Windows\System\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
C:\Windows\System\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
memory/676-141-0x000000007FFB0000-0x000000007FFB6000-memory.dmp

Filesize
24KB

Download
memory/912-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/912-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3496-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3496-143-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/5068-140-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download