1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
Size

172KB
MD5

d8b3807c730d493ba974c13c83621dd8
SHA1

8f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA256

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA512

9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
SSDEEP

3072:mJ0A2KvUXh9O5P908zsStvqeSwCKx83lUICxsqcAeSa:O0A2auu10usSJbuKxAlicbS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4956 svchost.exe
3192 svchost.exe

pid	process
4956	svchost.exe
3192	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Config	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Config\ = e6070b00030017000b00020005006700	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

svchost.exe

pid process

3192 svchost.exe
3192 svchost.exe
3192 svchost.exe
3192 svchost.exe
3192 svchost.exe
3192 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeBackupPrivilege 3192 svchost.exe
Token: SeRestorePrivilege 3192 svchost.exe

pid	process
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe

description	pid	process
Token: SeBackupPrivilege	3192	svchost.exe
Token: SeRestorePrivilege	3192	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

description	pid	process	target process
PID 3692 wrote to memory of 4956	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 3692 wrote to memory of 4956	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 3692 wrote to memory of 4956	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 3692 wrote to memory of 1044	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe
PID 3692 wrote to memory of 1044	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe
PID 3692 wrote to memory of 1044	3692	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
"C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\temp\svchost.exe
"C:\Windows\temp\svchost.exe" -install
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "
2⤵
PID:1044

C:\Windows\temp\svchost.exe
C:\Windows\temp\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~0.bat
Filesize
258B

MD5
3ec406bfaf2fc1383813314972975c84

SHA1
eb38d2a107129c86a910492f5b66fb9002dd9576

SHA256
9fafc27e02c57454749b7a5ecfa45024c5813760b21ca571855f0ebb623e032d

SHA512
de3e524d92abc4354735f35c88c7f7c972dd4d85d9dab93df91dd6f1c56c0046f27956512a3f66a1b3b1ca82bd127ea7c0c596aec95b1bb3b81037728ac92173

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
C:\Windows\temp\svchost.exe
Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
memory/1044-136-0x0000000000000000-mapping.dmp

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download