Analysis
-
max time kernel
71s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 09:42
General
-
Target
ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe
-
Size
688KB
-
MD5
99f7aea316dece629041e7774d3728cc
-
SHA1
ed8ce50f94bf28e57c4ebb2fe28cb1c5d5fecc9e
-
SHA256
ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976
-
SHA512
ed5afa452b845029e723a863c59e34e789f364749fad1fc30733b1a4adf41f454d0a9fa6d42b9bf4b90834e86f140b1f61f03dfd8318f10d7c08cb9864ba81d9
-
SSDEEP
6144:GTHFHnDMIH9fJWPnSlRtz+RMpepNFMTHFHnDMIH9fJWPnSlRtz+RMpepNF:GRdBWPmSIeDFMRdBWPmSIeDF
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 36 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe"C:\Users\Admin\AppData\Local\Temp\ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe"C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe" "PO_16652.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csrss.exe"4⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe4⤵
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD55bac79bd35b79431d6082cb5fda280ed
SHA111cf970b8b24aa08fe4e343a355691bbaf9294b7
SHA256e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0
SHA512a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593
-
Filesize
188KB
MD55bac79bd35b79431d6082cb5fda280ed
SHA111cf970b8b24aa08fe4e343a355691bbaf9294b7
SHA256e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0
SHA512a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593
-
-
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
-
-
-
-
-
-
-
-
-