444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe
Size

2.3MB
MD5

5ed88fad3c9cba43fab260017c002a3a
SHA1

a6e3d5022693e25cf6d1a44d5aa685edcc658565
SHA256

444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff
SHA512

09fe08f8708b75e3c512eb297d31328010bda1e6196a2ba9783d761bcf7bdbf4f3d56852a4821a43690278da743712cdd9ce2a7b4882168dd6425cc1d482d7cb
SSDEEP

49152:Ac//////ZTHtW5p3Jtwc54TmLL4vJrKJYib++a0DLxZ4oGdmzs4obqacIuGJ:Ac//////BtW5VJtwS4aEvMfD9MLvbqcp

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EBD04A47-D636-4434-8FD9-AB60BFABD30B}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15762F9A-389D-4CCD-B32B-D1E9BA61E9E2}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 4 IoCs

Processes:

cmd.exeOpenWith.exeOpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

3976 OpenWith.exe
4212 OpenWith.exe

pid	process
3976	OpenWith.exe
4212	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe

description	pid	process	target process
PID 2228 wrote to memory of 2380	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe
PID 2228 wrote to memory of 2380	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe
PID 2228 wrote to memory of 2380	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe
PID 2228 wrote to memory of 3964	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe
PID 2228 wrote to memory of 3964	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe
PID 2228 wrote to memory of 3964	2228	444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe
"C:\Users\Admin\AppData\Local\Temp\444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar"
2⤵
- Modifies registry class
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tj1.rar"
2⤵
- Modifies registry class
PID:3964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar

Filesize
2.1MB

MD5
bed563288455753b23cb98ca314cfc39

SHA1
7552c8e2b65b80fbf0fc55c92783fd34299fa558

SHA256
f12f8e2cca7e583acffeac7310040b9a11fe711ae539d1a1f8df1bae4bc5fb5c

SHA512
bb995a121bbbc65b817f842cc397dc3bd056e4a0f62ce3b7148620049577e515bf728ba3bcc75fadba1c4364a89c47f92db391091bad26718f1887b5c5b2a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.rar

Filesize
183KB

MD5
3e16b53769e7f850368d0911ab499432

SHA1
4ca5e3e95818468782ba09c6accfd12ccbf443e4

SHA256
676547166f2dc0fe106e28e996fe099aad1efb72d5c03750f41a60115cf5a043

SHA512
554f01e0d885f4149cac25fb912ec6482c316e2f9aefb45afe31eb874489f2ca53d6556062649e14e4d23f84714a644d72196585f1c6b23e7a92c50c85c81fdb

Download Submit
memory/2380-132-0x0000000000000000-mapping.dmp

Download
memory/3964-133-0x0000000000000000-mapping.dmp

Download