84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822

Analysis

max time kernel
179s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe
Size

41KB
MD5

5ed9a5837a0f99733bc5db1e9367a14c
SHA1

bef3ee12140d98f50a811ff129c714ab33c19056
SHA256

84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822
SHA512

d8c3f120df697fcac34a36a578cdc330461e5029e0fccf15e816a79997f23a9029880e8096623b87e6e0623f9a48c495b96aab45c313e3c8c91816d0a0791664
SSDEEP

768:QIBar1ZIZYnfI9opm6AIHIjaI7g9mVmUnToNE/W5dRV8:pW1ZIZqI9opm6AIHIjzmUkNzd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sxhost.exe

pid process

4636 sxhost.exe

pid	process
4636	sxhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exesxhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	sxhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exesxhost.exe

description	pid	process	target process
PID 2200 wrote to memory of 4636	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	sxhost.exe
PID 2200 wrote to memory of 4636	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	sxhost.exe
PID 2200 wrote to memory of 4636	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	sxhost.exe
PID 2200 wrote to memory of 3880	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	cmd.exe
PID 2200 wrote to memory of 3880	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	cmd.exe
PID 2200 wrote to memory of 3880	2200	84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe	cmd.exe
PID 4636 wrote to memory of 3540	4636	sxhost.exe	cmd.exe
PID 4636 wrote to memory of 3540	4636	sxhost.exe	cmd.exe
PID 4636 wrote to memory of 3540	4636	sxhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe
"C:\Users\Admin\AppData\Local\Temp\84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\sxhost.exe
"C:\Users\Admin\sxhost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\sxhost.exe >> NUL
3⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\84CA01~1.EXE >> NUL
2⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
5ed9a5837a0f99733bc5db1e9367a14c

SHA1
bef3ee12140d98f50a811ff129c714ab33c19056

SHA256
84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822

SHA512
d8c3f120df697fcac34a36a578cdc330461e5029e0fccf15e816a79997f23a9029880e8096623b87e6e0623f9a48c495b96aab45c313e3c8c91816d0a0791664

Download Submit
C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
5ed9a5837a0f99733bc5db1e9367a14c

SHA1
bef3ee12140d98f50a811ff129c714ab33c19056

SHA256
84ca015b1ccb2ce91299509a05c3e20931a85f0cca646d472e486e95a46e9822

SHA512
d8c3f120df697fcac34a36a578cdc330461e5029e0fccf15e816a79997f23a9029880e8096623b87e6e0623f9a48c495b96aab45c313e3c8c91816d0a0791664

Download Submit
memory/2200-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2200-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3540-139-0x0000000000000000-mapping.dmp

Download
memory/3880-136-0x0000000000000000-mapping.dmp

Download
memory/4636-133-0x0000000000000000-mapping.dmp

Download
memory/4636-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4636-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download