Analysis
-
max time kernel
178s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Resource
win10v2004-20221111-en
General
-
Target
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
-
Size
183KB
-
MD5
23127700d29f175b1cfc95aee76744b7
-
SHA1
b7720f74b3e6c5e8de8104a10d84db7b27f395ef
-
SHA256
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5
-
SHA512
eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6
-
SSDEEP
3072:BPprdo/5Plc91XQzaH6FZ2YRjKjujvTfvIax7qbbf4sznHL:ZAP+1AeQnRj6uHf2b8sz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 3936 svchost.exe 3316 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exedescription pid process target process PID 4396 set thread context of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 3936 set thread context of 3316 3936 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2036 3316 WerFault.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exedescription pid process Token: SeDebugPrivilege 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe Token: 33 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe Token: SeIncBasePriorityPrivilege 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe Token: SeDebugPrivilege 3936 svchost.exe Token: 33 3936 svchost.exe Token: SeIncBasePriorityPrivilege 3936 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exea35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exedescription pid process target process PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4396 wrote to memory of 4168 4396 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe PID 4168 wrote to memory of 3936 4168 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe svchost.exe PID 4168 wrote to memory of 3936 4168 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe svchost.exe PID 4168 wrote to memory of 3936 4168 a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe svchost.exe PID 3936 wrote to memory of 3316 3936 svchost.exe svchost.exe PID 3936 wrote to memory of 3316 3936 svchost.exe svchost.exe PID 3936 wrote to memory of 3316 3936 svchost.exe svchost.exe PID 3936 wrote to memory of 3316 3936 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe"C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exeC:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3316 -ip 33161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost.exeFilesize
183KB
MD523127700d29f175b1cfc95aee76744b7
SHA1b7720f74b3e6c5e8de8104a10d84db7b27f395ef
SHA256a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5
SHA512eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6
-
C:\ProgramData\svchost.exeFilesize
183KB
MD523127700d29f175b1cfc95aee76744b7
SHA1b7720f74b3e6c5e8de8104a10d84db7b27f395ef
SHA256a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5
SHA512eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6
-
C:\ProgramData\svchost.exeFilesize
183KB
MD523127700d29f175b1cfc95aee76744b7
SHA1b7720f74b3e6c5e8de8104a10d84db7b27f395ef
SHA256a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5
SHA512eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe.logFilesize
606B
MD5c117ae747a8586fd810a5ce712005e11
SHA1fcd4adab57ed7c5153430c4a9c617574e98ec8c1
SHA2561435809f80ffb74717ba6eeb89156c38323c5423639756ce61e8f3e36001d966
SHA51207111ebbaa5d9ceef502e39ba3732e1869467375cb66c9a9c9d7077ba8c5ee0d473c25b36769aa36d8d489c04d5f97eb666890a03bbda4c32098decd36347ece
-
memory/3316-142-0x0000000000000000-mapping.dmp
-
memory/3936-139-0x0000000000000000-mapping.dmp
-
memory/4168-135-0x0000000000000000-mapping.dmp
-
memory/4168-136-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4168-138-0x0000000005730000-0x00000000057CC000-memory.dmpFilesize
624KB
-
memory/4396-132-0x0000000000380000-0x00000000003B4000-memory.dmpFilesize
208KB
-
memory/4396-133-0x0000000005430000-0x00000000059D4000-memory.dmpFilesize
5.6MB
-
memory/4396-134-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB