Overview

overview

10

Static

static

5a3f6cc043...bf.exe

windows7-x64

10

5a3f6cc043...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a3f6cc04387e8a57f21287d26402315eba8e35e0a94c41c2846b38ce1da9ebf.exe

  • Size

    764KB

  • MD5

    42f70bedacf7d2612c6ef75de040729d

  • SHA1

    2b264c72a82754b3bd00f124e403156f3cb447f3

  • SHA256

    5a3f6cc04387e8a57f21287d26402315eba8e35e0a94c41c2846b38ce1da9ebf

  • SHA512

    e9b83bebb88fb7c8bb450cdd3143d335a4ec8c84231bff3c64b3ff99e1397c367a5ad5886afc1971865c5b13f166d0726e8e04da48b9f03e6dcb1ed535a58a5e

  • SSDEEP

    12288:d0cFUNlKi46Dk3tDJtoDW31puSyDTgqd7kmAN6omFMb3sGB6UduRfLas:i+Ua6Y3tDHom7KTfd7kBN6dMb3DY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a3f6cc04387e8a57f21287d26402315eba8e35e0a94c41c2846b38ce1da9ebf.exe
    "C:\Users\Admin\AppData\Local\Temp\5a3f6cc04387e8a57f21287d26402315eba8e35e0a94c41c2846b38ce1da9ebf.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4304
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    336KB

    MD5

    7491f5d9adb60b1d54cc827d205b242b

    SHA1

    8e9906bcaa3ac2c8b70c25ad566caf191c6d88a6

    SHA256

    1c56ff9a986dccf1879dea578ef61f88e44ddae942103be2b243c7a9b3aeedf8

    SHA512

    5aa1c96a665887b7957cae5c2f009e2cb4e5f259c88c604eaca705a62276986528165dc758ebc3365dfc34dfa7d5a1dbf20712fe0f0930c7cfd8f2fdae2c7140

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    336KB

    MD5

    7491f5d9adb60b1d54cc827d205b242b

    SHA1

    8e9906bcaa3ac2c8b70c25ad566caf191c6d88a6

    SHA256

    1c56ff9a986dccf1879dea578ef61f88e44ddae942103be2b243c7a9b3aeedf8

    SHA512

    5aa1c96a665887b7957cae5c2f009e2cb4e5f259c88c604eaca705a62276986528165dc758ebc3365dfc34dfa7d5a1dbf20712fe0f0930c7cfd8f2fdae2c7140

    Download Submit
  • memory/756-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3132-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3480-144-0x0000000000000000-mapping.dmp
    Download
  • memory/3920-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4304-142-0x0000000000000000-mapping.dmp
    Download