Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe
Resource
win10v2004-20220812-en
General
-
Target
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe
-
Size
1.2MB
-
MD5
38df01b430a44e714e2872cb069dbb9c
-
SHA1
7593a65f30da17196b2c6abe94902271dbe78063
-
SHA256
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9
-
SHA512
5cff7614117cc68bd77104a57723b85d3875d98708039149f57eef7392e88bd1c2881a4892510768c72d0ffcdab515b4db9dd553b5e59152ba783c9945a4828c
-
SSDEEP
24576:Gt24QdLl+X+2FHARUBZQqE/aoepkbAy2945mynFz9VRQYQavcMj:M+g1TZQRanpry2jynFzPRQYQavco
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SHH.exeSHH.exepid process 2208 SHH.exe 4156 SHH.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SHH\SHH.exe autoit_exe C:\Users\Admin\AppData\Roaming\SHH\SHH.exe autoit_exe C:\Users\Admin\AppData\Roaming\SHH\SHH.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHH.exedescription pid process target process PID 2208 set thread context of 4156 2208 SHH.exe SHH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
SHH.exepid process 2208 SHH.exe 2208 SHH.exe 2208 SHH.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
SHH.exepid process 2208 SHH.exe 2208 SHH.exe 2208 SHH.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exeSHH.exedescription pid process target process PID 4884 wrote to memory of 2208 4884 ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe SHH.exe PID 4884 wrote to memory of 2208 4884 ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe SHH.exe PID 4884 wrote to memory of 2208 4884 ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe PID 2208 wrote to memory of 4156 2208 SHH.exe SHH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe"C:\Users\Admin\AppData\Local\Temp\ef734aafa5d4712a8eecdd7b63ba895fe6869c221acbd9038e65a472426d78d9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Roaming\SHH\SHH.exe"C:\Users\Admin\AppData\Roaming\SHH\SHH.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\SHH\SHH.exe"C:\Users\Admin\AppData\Roaming\SHH\SHH.exe"3⤵
- Executes dropped EXE
PID:4156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5e3ca3a7fad60c185f16afc3f7b370e26
SHA18ffb08ed5e9c8b55c578289129f96aafa2f6e9d6
SHA256c8330918df1d31793e8d59869a775fd276602a2397717e958ce60b1ed538dfa3
SHA5125737a1c4dc86e55d70497849f679bea554e0b835076c625d98eae3151995e06a387c199233a21b80a049a0011f2a101d0e2c2f9b27ee6c44a7eb44aefce45a76
-
Filesize
1.1MB
MD582d3426d9da06a897ad3dae2893ee461
SHA14e9f8084633463dd8e2dd33d499dda329f88225e
SHA256a04a1d62bb232c5e2b79f94116000ca237f28457f413304a00ce47b851dc3bfd
SHA51232642a9dbc2eb63313204892812378ef17fb27e76347e0e06e1214ac136ca254db5ab1cb8aae377801aa645145ec86d9b8762350f87d3bca8c789f74cd8d3b04
-
Filesize
1.1MB
MD582d3426d9da06a897ad3dae2893ee461
SHA14e9f8084633463dd8e2dd33d499dda329f88225e
SHA256a04a1d62bb232c5e2b79f94116000ca237f28457f413304a00ce47b851dc3bfd
SHA51232642a9dbc2eb63313204892812378ef17fb27e76347e0e06e1214ac136ca254db5ab1cb8aae377801aa645145ec86d9b8762350f87d3bca8c789f74cd8d3b04
-
Filesize
1.1MB
MD582d3426d9da06a897ad3dae2893ee461
SHA14e9f8084633463dd8e2dd33d499dda329f88225e
SHA256a04a1d62bb232c5e2b79f94116000ca237f28457f413304a00ce47b851dc3bfd
SHA51232642a9dbc2eb63313204892812378ef17fb27e76347e0e06e1214ac136ca254db5ab1cb8aae377801aa645145ec86d9b8762350f87d3bca8c789f74cd8d3b04