Analysis
-
max time kernel
151s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 18:42
General
-
Target
5407dbb9181ebcadac5ee9c8221b74af0381d2913c997e654523971eaf8de376.exe
-
Size
45KB
-
MD5
45a70b0a189b7fd233ffcf8c6d660431
-
SHA1
e52089d3c4b945048faea1fe72a10cb06c3150df
-
SHA256
5407dbb9181ebcadac5ee9c8221b74af0381d2913c997e654523971eaf8de376
-
SHA512
337a37ab912bf1392ae12f4eb977355aed341448b9b7df36cd09e9555d084487c5d29b22ad1c993e386719d0f7b92effdb25aee5dc7270341df3ae9a279ae11f
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXH:EOxyeFo6NPCAosxYyXdF5oy3VoKH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 22 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5407dbb9181ebcadac5ee9c8221b74af0381d2913c997e654523971eaf8de376.exe"C:\Users\Admin\AppData\Local\Temp\5407dbb9181ebcadac5ee9c8221b74af0381d2913c997e654523971eaf8de376.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5407dbb9181ebcadac5ee9c8221b74af0381d2913c997e654523971eaf8de376.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5ec50ac3228e078ad2bdfaf08fad058f6
SHA17a9035d7c774f78b6006dd17dbf8b0f8123769d9
SHA25660b4b0dea918e1b34fe85f28fb8aba042afd47a60735e8d3e41c8c30047e1003
SHA51238071127356f689e33b915234a335e51283f860a92a3c9109c6b73f1102f746c83ffa4f22b7938d816b9d9628f5ac3231d4e90a93f65e222f23f64d64e4004b5
-
Filesize
45KB
MD5ec50ac3228e078ad2bdfaf08fad058f6
SHA17a9035d7c774f78b6006dd17dbf8b0f8123769d9
SHA25660b4b0dea918e1b34fe85f28fb8aba042afd47a60735e8d3e41c8c30047e1003
SHA51238071127356f689e33b915234a335e51283f860a92a3c9109c6b73f1102f746c83ffa4f22b7938d816b9d9628f5ac3231d4e90a93f65e222f23f64d64e4004b5
-
Filesize
45KB
MD5ec50ac3228e078ad2bdfaf08fad058f6
SHA17a9035d7c774f78b6006dd17dbf8b0f8123769d9
SHA25660b4b0dea918e1b34fe85f28fb8aba042afd47a60735e8d3e41c8c30047e1003
SHA51238071127356f689e33b915234a335e51283f860a92a3c9109c6b73f1102f746c83ffa4f22b7938d816b9d9628f5ac3231d4e90a93f65e222f23f64d64e4004b5
-
Filesize
45KB
MD5ec50ac3228e078ad2bdfaf08fad058f6
SHA17a9035d7c774f78b6006dd17dbf8b0f8123769d9
SHA25660b4b0dea918e1b34fe85f28fb8aba042afd47a60735e8d3e41c8c30047e1003
SHA51238071127356f689e33b915234a335e51283f860a92a3c9109c6b73f1102f746c83ffa4f22b7938d816b9d9628f5ac3231d4e90a93f65e222f23f64d64e4004b5
-
Filesize
45KB
MD5deb6c5bbf55845566e3b66508dad7896
SHA199397f4f9a405e5aa62226a9b4cce9b80618bb3c
SHA2566dfb01c33ba553d791861cb23560c8723b1e30e0c9dba4ae979c45a9a29f6ee2
SHA512667efe4476eeece3ae2e8afb070908be27efb50ee3c546c54850558f0f0e04e97f47d8a0c30b956cf7ecbe684a57a76397fb68b11d8b62c563919181ff5be561
-
Filesize
45KB
MD5deb6c5bbf55845566e3b66508dad7896
SHA199397f4f9a405e5aa62226a9b4cce9b80618bb3c
SHA2566dfb01c33ba553d791861cb23560c8723b1e30e0c9dba4ae979c45a9a29f6ee2
SHA512667efe4476eeece3ae2e8afb070908be27efb50ee3c546c54850558f0f0e04e97f47d8a0c30b956cf7ecbe684a57a76397fb68b11d8b62c563919181ff5be561
-
Filesize
45KB
MD5deb6c5bbf55845566e3b66508dad7896
SHA199397f4f9a405e5aa62226a9b4cce9b80618bb3c
SHA2566dfb01c33ba553d791861cb23560c8723b1e30e0c9dba4ae979c45a9a29f6ee2
SHA512667efe4476eeece3ae2e8afb070908be27efb50ee3c546c54850558f0f0e04e97f47d8a0c30b956cf7ecbe684a57a76397fb68b11d8b62c563919181ff5be561
-
Filesize
45KB
MD5deb6c5bbf55845566e3b66508dad7896
SHA199397f4f9a405e5aa62226a9b4cce9b80618bb3c
SHA2566dfb01c33ba553d791861cb23560c8723b1e30e0c9dba4ae979c45a9a29f6ee2
SHA512667efe4476eeece3ae2e8afb070908be27efb50ee3c546c54850558f0f0e04e97f47d8a0c30b956cf7ecbe684a57a76397fb68b11d8b62c563919181ff5be561
-
Filesize
45KB
MD563ce81d618145528bf1072fbd6174b4a
SHA1fba47c1347c9b6c90bfb5701ddd9aca925aea865
SHA2564f7d791eb57c19a1f84a6cd103dd26ca61a3620d683a5e0137001b908c0602b0
SHA512e8a69b6badd12ed138e91ec373efd502c2c747a389c17dd7b809b2d0bb34c317562c322dedfadd76a987bfec3151cc97fabea288ecea26e0d2d3d4f31c04964f
-
Filesize
45KB
MD563ce81d618145528bf1072fbd6174b4a
SHA1fba47c1347c9b6c90bfb5701ddd9aca925aea865
SHA2564f7d791eb57c19a1f84a6cd103dd26ca61a3620d683a5e0137001b908c0602b0
SHA512e8a69b6badd12ed138e91ec373efd502c2c747a389c17dd7b809b2d0bb34c317562c322dedfadd76a987bfec3151cc97fabea288ecea26e0d2d3d4f31c04964f
-
Filesize
45KB
MD563ce81d618145528bf1072fbd6174b4a
SHA1fba47c1347c9b6c90bfb5701ddd9aca925aea865
SHA2564f7d791eb57c19a1f84a6cd103dd26ca61a3620d683a5e0137001b908c0602b0
SHA512e8a69b6badd12ed138e91ec373efd502c2c747a389c17dd7b809b2d0bb34c317562c322dedfadd76a987bfec3151cc97fabea288ecea26e0d2d3d4f31c04964f
-
Filesize
45KB
MD563ce81d618145528bf1072fbd6174b4a
SHA1fba47c1347c9b6c90bfb5701ddd9aca925aea865
SHA2564f7d791eb57c19a1f84a6cd103dd26ca61a3620d683a5e0137001b908c0602b0
SHA512e8a69b6badd12ed138e91ec373efd502c2c747a389c17dd7b809b2d0bb34c317562c322dedfadd76a987bfec3151cc97fabea288ecea26e0d2d3d4f31c04964f
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
45KB
MD5ec50ac3228e078ad2bdfaf08fad058f6
SHA17a9035d7c774f78b6006dd17dbf8b0f8123769d9
SHA25660b4b0dea918e1b34fe85f28fb8aba042afd47a60735e8d3e41c8c30047e1003
SHA51238071127356f689e33b915234a335e51283f860a92a3c9109c6b73f1102f746c83ffa4f22b7938d816b9d9628f5ac3231d4e90a93f65e222f23f64d64e4004b5
-
Filesize
45KB
MD5deb6c5bbf55845566e3b66508dad7896
SHA199397f4f9a405e5aa62226a9b4cce9b80618bb3c
SHA2566dfb01c33ba553d791861cb23560c8723b1e30e0c9dba4ae979c45a9a29f6ee2
SHA512667efe4476eeece3ae2e8afb070908be27efb50ee3c546c54850558f0f0e04e97f47d8a0c30b956cf7ecbe684a57a76397fb68b11d8b62c563919181ff5be561
-
Filesize
45KB
MD563ce81d618145528bf1072fbd6174b4a
SHA1fba47c1347c9b6c90bfb5701ddd9aca925aea865
SHA2564f7d791eb57c19a1f84a6cd103dd26ca61a3620d683a5e0137001b908c0602b0
SHA512e8a69b6badd12ed138e91ec373efd502c2c747a389c17dd7b809b2d0bb34c317562c322dedfadd76a987bfec3151cc97fabea288ecea26e0d2d3d4f31c04964f
-
-
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
-
Filesize
104KB
-
Filesize
104KB
-