a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5

General

Target

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Size

183KB
MD5

23127700d29f175b1cfc95aee76744b7
SHA1

b7720f74b3e6c5e8de8104a10d84db7b27f395ef
SHA256

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5
SHA512

eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6
SSDEEP

3072:BPprdo/5Plc91XQzaH6FZ2YRjKjujvTfvIax7qbbf4sznHL:ZAP+1AeQnRj6uHf2b8sz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

3936 svchost.exe
3316 svchost.exe

pid	process
3936	svchost.exe
3316	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exe

description	pid	process	target process
PID 4396 set thread context of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 3936 set thread context of 3316	3936	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2036 3316 WerFault.exe svchost.exe

pid	pid_target	process	target process
2036	3316	WerFault.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Token: 33	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Token: SeIncBasePriorityPrivilege	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
Token: SeDebugPrivilege	3936	svchost.exe
Token: 33	3936	svchost.exe
Token: SeIncBasePriorityPrivilege	3936	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exea35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exesvchost.exe

description	pid	process	target process
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4396 wrote to memory of 4168	4396	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
PID 4168 wrote to memory of 3936	4168	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	svchost.exe
PID 4168 wrote to memory of 3936	4168	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	svchost.exe
PID 4168 wrote to memory of 3936	4168	a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe	svchost.exe
PID 3936 wrote to memory of 3316	3936	svchost.exe	svchost.exe
PID 3936 wrote to memory of 3316	3936	svchost.exe	svchost.exe
PID 3936 wrote to memory of 3316	3936	svchost.exe	svchost.exe
PID 3936 wrote to memory of 3316	3936	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
"C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
C:\Users\Admin\AppData\Local\Temp\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4168

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
4⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 84
5⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3316 -ip 3316
1⤵
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
Filesize
183KB

MD5
23127700d29f175b1cfc95aee76744b7

SHA1
b7720f74b3e6c5e8de8104a10d84db7b27f395ef

SHA256
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5

SHA512
eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6

Download Submit
C:\ProgramData\svchost.exe
Filesize
183KB

MD5
23127700d29f175b1cfc95aee76744b7

SHA1
b7720f74b3e6c5e8de8104a10d84db7b27f395ef

SHA256
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5

SHA512
eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6

Download Submit
C:\ProgramData\svchost.exe
Filesize
183KB

MD5
23127700d29f175b1cfc95aee76744b7

SHA1
b7720f74b3e6c5e8de8104a10d84db7b27f395ef

SHA256
a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5

SHA512
eb1e7b8ca724c4b7f72093a380086c880f159ca7047a179e20b3eb869cd6c126611c50616ea91830a30c2fba38abad51a21a4de1180bdc579830e5ea32bb2de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a35e2948aa479bcfe9352531e4f161728214ff231d4e93ddcdd4224beb2f02b5.exe.log
Filesize
606B

MD5
c117ae747a8586fd810a5ce712005e11

SHA1
fcd4adab57ed7c5153430c4a9c617574e98ec8c1

SHA256
1435809f80ffb74717ba6eeb89156c38323c5423639756ce61e8f3e36001d966

SHA512
07111ebbaa5d9ceef502e39ba3732e1869467375cb66c9a9c9d7077ba8c5ee0d473c25b36769aa36d8d489c04d5f97eb666890a03bbda4c32098decd36347ece

Download Submit
memory/3316-142-0x0000000000000000-mapping.dmp

Download
memory/3936-139-0x0000000000000000-mapping.dmp

Download
memory/4168-135-0x0000000000000000-mapping.dmp

Download
memory/4168-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4168-138-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/4396-132-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/4396-133-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/4396-134-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads