Analysis

  • max time kernel
    186s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:46

General

  • Target

    07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

  • Size

    97KB

  • MD5

    e3224603fe2aaaec7a274c5d55252a04

  • SHA1

    8e815fc7e307485fa34e12f4f8e408bb10ea23dd

  • SHA256

    07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6

  • SHA512

    f01581ffebbde05c11de55d500b41c6129bbaa1134bbb22869ed160c9883cc40f2d9513b58e4fc5380ab05b73791477e9c496f499ca7b35ecbe928d7cda69fda

  • SSDEEP

    1536:Q2QVxKF03OXuK9s7/sEguuULsN3rhZurqODNrrQYey6iexQ1q2rTAmjq8cMGL:DYjyuKWgEgQIhCDnQY8nxQ1BrUSqVMM

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
    "C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Sets service image path in registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5872779e.bat" "
      2⤵
        PID:2288
    • C:\Windows\SysWOW64\Svchost.exe
      C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:4960

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5872779e.bat

      Filesize

      303B

      MD5

      1e611855983f9b09c203c5c9c85df4a3

      SHA1

      470675aacf485efebbc05c8bd063fac87e524bbf

      SHA256

      30c7447ef5e5e2a003784bcf322cf94a3e63e7e4d861ae2594df8aa60778c2f2

      SHA512

      4ec262d3ddd3aaea29317b0ecbfa8ef52c4d640f8370a964edbd4e4bd59f0486228b485c7862ee0bdf4222411e7241bb785b93e6f84ef49dc3ef6a64058de4b0

    • C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

      Filesize

      25KB

      MD5

      622c4fc2bc6cbd965329dd0e2b5b24db

      SHA1

      0610310c0cc7e4005fdcf7d69b9810700efd7e19

      SHA256

      11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

      SHA512

      b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

    • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

      Filesize

      25KB

      MD5

      622c4fc2bc6cbd965329dd0e2b5b24db

      SHA1

      0610310c0cc7e4005fdcf7d69b9810700efd7e19

      SHA256

      11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

      SHA512

      b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

    • memory/2096-132-0x00000000031F0000-0x00000000071F0000-memory.dmp

      Filesize

      64.0MB

    • memory/2096-133-0x00000000031F0000-0x00000000071F0000-memory.dmp

      Filesize

      64.0MB

    • memory/2288-134-0x0000000000000000-mapping.dmp