Analysis
-
max time kernel
188s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 15:59
General
-
Target
99f23c3c2d12d62d0e7e5c964dfb5324aaa5e7ec644c3f0114ff52907a6a5101.exe
-
Size
45KB
-
MD5
2ef681a786b69beb672d79c789e3f15d
-
SHA1
b1181ba425a28b04f81d9ec319eed202695b3237
-
SHA256
99f23c3c2d12d62d0e7e5c964dfb5324aaa5e7ec644c3f0114ff52907a6a5101
-
SHA512
4b3948d86b7ed52c8ab1061b054f2df19a4620c8896161b394a952b1b13f7ce7490148776a71f53b30495d8b0067a7e592406ed916802b74d7ed60268f318ed6
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXz:EOxyeFo6NPCAosxYyXdF5oy3VoKz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 22 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f23c3c2d12d62d0e7e5c964dfb5324aaa5e7ec644c3f0114ff52907a6a5101.exe"C:\Users\Admin\AppData\Local\Temp\99f23c3c2d12d62d0e7e5c964dfb5324aaa5e7ec644c3f0114ff52907a6a5101.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\99f23c3c2d12d62d0e7e5c964dfb5324aaa5e7ec644c3f0114ff52907a6a5101.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD59315473e37ca66146252d2a1e9d79c60
SHA1e2309a53deac6aa0e89cc8ca48d4c241360158d5
SHA2568130396cf95b15218d0fc4362a4e062fa5e8d51125841be1668d79a192815d95
SHA512d1ec01f6cd6638517e8f1c2ad64b40ad972d82e67f9a87e3b3ec0319813371c4dbb8fd047f1fde211ad5215a0173de7f3b62631e7e3b2cf19dea4bf4121ba504
-
Filesize
45KB
MD59315473e37ca66146252d2a1e9d79c60
SHA1e2309a53deac6aa0e89cc8ca48d4c241360158d5
SHA2568130396cf95b15218d0fc4362a4e062fa5e8d51125841be1668d79a192815d95
SHA512d1ec01f6cd6638517e8f1c2ad64b40ad972d82e67f9a87e3b3ec0319813371c4dbb8fd047f1fde211ad5215a0173de7f3b62631e7e3b2cf19dea4bf4121ba504
-
Filesize
45KB
MD59315473e37ca66146252d2a1e9d79c60
SHA1e2309a53deac6aa0e89cc8ca48d4c241360158d5
SHA2568130396cf95b15218d0fc4362a4e062fa5e8d51125841be1668d79a192815d95
SHA512d1ec01f6cd6638517e8f1c2ad64b40ad972d82e67f9a87e3b3ec0319813371c4dbb8fd047f1fde211ad5215a0173de7f3b62631e7e3b2cf19dea4bf4121ba504
-
Filesize
45KB
MD59315473e37ca66146252d2a1e9d79c60
SHA1e2309a53deac6aa0e89cc8ca48d4c241360158d5
SHA2568130396cf95b15218d0fc4362a4e062fa5e8d51125841be1668d79a192815d95
SHA512d1ec01f6cd6638517e8f1c2ad64b40ad972d82e67f9a87e3b3ec0319813371c4dbb8fd047f1fde211ad5215a0173de7f3b62631e7e3b2cf19dea4bf4121ba504
-
Filesize
45KB
MD5c3603cf0d46567863326ca9c272a12c6
SHA13224eefb24307de22cffc421f300f9b8fafa5e3c
SHA256effad64c04fe3148bb4207d29e9cff9771d9897e1c38ff891d2bbb8a435888ff
SHA512616a22f2653fa62f7ed7d6ac769dc4e777ea1a20a780b19bfc49115fbf703efeea24f4221e2fedb664add01da1164420f5698e625d78199dac2f428ac21b3019
-
Filesize
45KB
MD5c3603cf0d46567863326ca9c272a12c6
SHA13224eefb24307de22cffc421f300f9b8fafa5e3c
SHA256effad64c04fe3148bb4207d29e9cff9771d9897e1c38ff891d2bbb8a435888ff
SHA512616a22f2653fa62f7ed7d6ac769dc4e777ea1a20a780b19bfc49115fbf703efeea24f4221e2fedb664add01da1164420f5698e625d78199dac2f428ac21b3019
-
Filesize
45KB
MD5c3603cf0d46567863326ca9c272a12c6
SHA13224eefb24307de22cffc421f300f9b8fafa5e3c
SHA256effad64c04fe3148bb4207d29e9cff9771d9897e1c38ff891d2bbb8a435888ff
SHA512616a22f2653fa62f7ed7d6ac769dc4e777ea1a20a780b19bfc49115fbf703efeea24f4221e2fedb664add01da1164420f5698e625d78199dac2f428ac21b3019
-
Filesize
45KB
MD5c3603cf0d46567863326ca9c272a12c6
SHA13224eefb24307de22cffc421f300f9b8fafa5e3c
SHA256effad64c04fe3148bb4207d29e9cff9771d9897e1c38ff891d2bbb8a435888ff
SHA512616a22f2653fa62f7ed7d6ac769dc4e777ea1a20a780b19bfc49115fbf703efeea24f4221e2fedb664add01da1164420f5698e625d78199dac2f428ac21b3019
-
Filesize
45KB
MD5c14602994f65b9a9b6705bde7057c2d0
SHA1d504ff5a8c0a68e1b5ae172922999b0b64c30407
SHA256a4ceddbff4bd53863f2c4fde3e55bba040125370b95e13d7c5e9168976b4efc0
SHA51243c9037448109f83740265a0d9026831468df400e83d4f6a80c7bca1999fa3e2f15393bfe0c129a2f79b6bac49711845db6835af5aa3d035897908958c39ee1c
-
Filesize
45KB
MD5c14602994f65b9a9b6705bde7057c2d0
SHA1d504ff5a8c0a68e1b5ae172922999b0b64c30407
SHA256a4ceddbff4bd53863f2c4fde3e55bba040125370b95e13d7c5e9168976b4efc0
SHA51243c9037448109f83740265a0d9026831468df400e83d4f6a80c7bca1999fa3e2f15393bfe0c129a2f79b6bac49711845db6835af5aa3d035897908958c39ee1c
-
Filesize
45KB
MD5c14602994f65b9a9b6705bde7057c2d0
SHA1d504ff5a8c0a68e1b5ae172922999b0b64c30407
SHA256a4ceddbff4bd53863f2c4fde3e55bba040125370b95e13d7c5e9168976b4efc0
SHA51243c9037448109f83740265a0d9026831468df400e83d4f6a80c7bca1999fa3e2f15393bfe0c129a2f79b6bac49711845db6835af5aa3d035897908958c39ee1c
-
Filesize
45KB
MD5c14602994f65b9a9b6705bde7057c2d0
SHA1d504ff5a8c0a68e1b5ae172922999b0b64c30407
SHA256a4ceddbff4bd53863f2c4fde3e55bba040125370b95e13d7c5e9168976b4efc0
SHA51243c9037448109f83740265a0d9026831468df400e83d4f6a80c7bca1999fa3e2f15393bfe0c129a2f79b6bac49711845db6835af5aa3d035897908958c39ee1c
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
45KB
MD59315473e37ca66146252d2a1e9d79c60
SHA1e2309a53deac6aa0e89cc8ca48d4c241360158d5
SHA2568130396cf95b15218d0fc4362a4e062fa5e8d51125841be1668d79a192815d95
SHA512d1ec01f6cd6638517e8f1c2ad64b40ad972d82e67f9a87e3b3ec0319813371c4dbb8fd047f1fde211ad5215a0173de7f3b62631e7e3b2cf19dea4bf4121ba504
-
Filesize
45KB
MD5c3603cf0d46567863326ca9c272a12c6
SHA13224eefb24307de22cffc421f300f9b8fafa5e3c
SHA256effad64c04fe3148bb4207d29e9cff9771d9897e1c38ff891d2bbb8a435888ff
SHA512616a22f2653fa62f7ed7d6ac769dc4e777ea1a20a780b19bfc49115fbf703efeea24f4221e2fedb664add01da1164420f5698e625d78199dac2f428ac21b3019
-
Filesize
45KB
MD5c14602994f65b9a9b6705bde7057c2d0
SHA1d504ff5a8c0a68e1b5ae172922999b0b64c30407
SHA256a4ceddbff4bd53863f2c4fde3e55bba040125370b95e13d7c5e9168976b4efc0
SHA51243c9037448109f83740265a0d9026831468df400e83d4f6a80c7bca1999fa3e2f15393bfe0c129a2f79b6bac49711845db6835af5aa3d035897908958c39ee1c
-
-
Filesize
104KB
-
-
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB