Analysis
-
max time kernel
186s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
Resource
win10v2004-20221111-en
General
-
Target
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
-
Size
97KB
-
MD5
e3224603fe2aaaec7a274c5d55252a04
-
SHA1
8e815fc7e307485fa34e12f4f8e408bb10ea23dd
-
SHA256
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6
-
SHA512
f01581ffebbde05c11de55d500b41c6129bbaa1134bbb22869ed160c9883cc40f2d9513b58e4fc5380ab05b73791477e9c496f499ca7b35ecbe928d7cda69fda
-
SSDEEP
1536:Q2QVxKF03OXuK9s7/sEguuULsN3rhZurqODNrrQYey6iexQ1q2rTAmjq8cMGL:DYjyuKWgEgQIhCDnQY8nxQ1BrUSqVMM
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\22276934\ImagePath = "system32\\22276934.sys" 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Loads dropped DLL 1 IoCs
Processes:
Svchost.exepid process 4960 Svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exeSvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\4D3C0184.tmp 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe File opened for modification C:\Windows\SysWOW64\22276934.sys 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe File opened for modification C:\Windows\SysWOW64\404C5E23.sys 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe File opened for modification C:\Windows\SysWOW64\12E64342.sys Svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription ioc process File created C:\WINDOWS\KB2536276666.log 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exepid process 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription pid process Token: SeLoadDriverPrivilege 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exedescription pid process target process PID 2096 wrote to memory of 2288 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe cmd.exe PID 2096 wrote to memory of 2288 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe cmd.exe PID 2096 wrote to memory of 2288 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe"C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe"1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5872779e.bat" "2⤵PID:2288
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303B
MD51e611855983f9b09c203c5c9c85df4a3
SHA1470675aacf485efebbc05c8bd063fac87e524bbf
SHA25630c7447ef5e5e2a003784bcf322cf94a3e63e7e4d861ae2594df8aa60778c2f2
SHA5124ec262d3ddd3aaea29317b0ecbfa8ef52c4d640f8370a964edbd4e4bd59f0486228b485c7862ee0bdf4222411e7241bb785b93e6f84ef49dc3ef6a64058de4b0
-
Filesize
25KB
MD5622c4fc2bc6cbd965329dd0e2b5b24db
SHA10610310c0cc7e4005fdcf7d69b9810700efd7e19
SHA25611399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae
SHA512b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5
-
Filesize
25KB
MD5622c4fc2bc6cbd965329dd0e2b5b24db
SHA10610310c0cc7e4005fdcf7d69b9810700efd7e19
SHA25611399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae
SHA512b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5