Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
Resource
win10v2004-20220901-en
General
-
Target
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe
-
Size
5.8MB
-
MD5
9e28a598e94be94921938cb38162b5f5
-
SHA1
d5255f860653112c66d6158a4cee6de51fd3cd0f
-
SHA256
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e
-
SHA512
0cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430
-
SSDEEP
98304:Og2iA8+gmkdHaGVG8U0L23Scg0kNZVf2wDCTVcYQC/8V/ncQ1nO6UAahTuvgfC:5vmkdHaSG8Ahg0eZVfFeTVju/ncQdAAG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ntsmss.exesvchost.exepid process 3864 ntsmss.exe 2744 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2744-160-0x0000000180000000-0x00000001800C2000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\libcurl.dll vmprotect C:\Users\Admin\AppData\Local\Temp\libcurl.dll vmprotect behavioral2/memory/2744-162-0x0000000180000000-0x00000001800C2000-memory.dmp vmprotect behavioral2/memory/2744-164-0x0000000180000000-0x00000001800C2000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ntsmss.exe -
Loads dropped DLL 4 IoCs
Processes:
svchost.exepid process 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe" a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ntsmss.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe" ntsmss.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Redis Service = "C:\\Users\\Admin\\AppData\\Roaming\\Redis\\ntsmss.exe" a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4116 taskkill.exe 4184 taskkill.exe 4036 taskkill.exe 2656 taskkill.exe 3152 taskkill.exe 3800 taskkill.exe 4704 taskkill.exe 552 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ntsmss.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exepid process 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe 3864 ntsmss.exe 3864 ntsmss.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 3152 taskkill.exe Token: SeDebugPrivilege 4704 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 4036 taskkill.exe Token: SeLockMemoryPrivilege 2744 svchost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exentsmss.exedescription pid process target process PID 1592 wrote to memory of 2656 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 2656 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 2656 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3800 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3800 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3800 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3152 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3152 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3152 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 4704 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 4704 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 4704 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe taskkill.exe PID 1592 wrote to memory of 3864 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe ntsmss.exe PID 1592 wrote to memory of 3864 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe ntsmss.exe PID 1592 wrote to memory of 3864 1592 a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe ntsmss.exe PID 3864 wrote to memory of 552 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 552 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 552 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4116 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4116 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4116 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4184 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4184 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4184 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4036 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4036 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 4036 3864 ntsmss.exe taskkill.exe PID 3864 wrote to memory of 2744 3864 ntsmss.exe svchost.exe PID 3864 wrote to memory of 2744 3864 ntsmss.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe"C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe"C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exe" C:\Users\Admin\AppData\Local\Temp\a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im CheckServer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im WerFault.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im exceptionfilter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe" -a cryptonight -o stratum+tcp://pool.cryptoescrow.eu:3333 -u 46sSETXrZGT8bupxdc2MAbLe3PMV9nJTRTE5uaFErXFz6ymyzVdH86KDb9TNoG4ny5QLELfopynWeBSMoT1M2Ga8RBkDqTH -p x -t 23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSVCR100.dllFilesize
809KB
MD5366fd6f3a451351b5df2d7c4ecf4c73a
SHA150db750522b9630757f91b53df377fd4ed4e2d66
SHA256ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
SHA5122de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130
-
C:\Users\Admin\AppData\Local\Temp\libcurl.dllFilesize
341KB
MD5d1c5379a98047acadaf97b35dcb239e3
SHA19b60fcab990cbbb237b15e6a52e29ffabca13760
SHA25690100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26
SHA512acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841
-
C:\Users\Admin\AppData\Local\Temp\libcurl.dllFilesize
341KB
MD5d1c5379a98047acadaf97b35dcb239e3
SHA19b60fcab990cbbb237b15e6a52e29ffabca13760
SHA25690100f13e683e8ea8196a938a9f1aad8888211a395afaba6bb55359767e00f26
SHA512acd489256514510ff23500d9340533d4dac3e362d8f38ebf9e46fffb051b75bfd844e325ffd39b980114f718e09b3cdf01716600e14d9263ad139e0119bec841
-
C:\Users\Admin\AppData\Local\Temp\msvcr100.dllFilesize
809KB
MD5366fd6f3a451351b5df2d7c4ecf4c73a
SHA150db750522b9630757f91b53df377fd4ed4e2d66
SHA256ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
SHA5122de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130
-
C:\Users\Admin\AppData\Local\Temp\msvcr100.dllFilesize
809KB
MD5366fd6f3a451351b5df2d7c4ecf4c73a
SHA150db750522b9630757f91b53df377fd4ed4e2d66
SHA256ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
SHA5122de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130
-
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dllFilesize
81KB
MD54a502706d149c2f5854131a7758a90e2
SHA1845842f909769a673138553748ad09e609ec3e17
SHA2560e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e
SHA5121cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161
-
C:\Users\Admin\AppData\Local\Temp\pthreadVC2.dllFilesize
81KB
MD54a502706d149c2f5854131a7758a90e2
SHA1845842f909769a673138553748ad09e609ec3e17
SHA2560e6af724609ef6846982ef717013426c359c455fff324e906d8d55c8bb88d16e
SHA5121cdc7d92dfee299850fe8703509e3cf33470470d239b27ca9d5760d3fd01775c3512b80e4b9bdca9f782c2193be0c0a554c1bb37c1a99e435e96e14902386161
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
210KB
MD5f269f2f43288c764d42ad78a6f2b09cb
SHA1aefafdcb035f361e8786ce4e10e122684c674cbe
SHA2563017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93
SHA512278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
210KB
MD5f269f2f43288c764d42ad78a6f2b09cb
SHA1aefafdcb035f361e8786ce4e10e122684c674cbe
SHA2563017c9c2d33d932e7180103cf86996d0df6de73c86eebd3f6425be188d8bcb93
SHA512278f11d99ef8f393155151031273550de66526220f790646c343a7ce0114f37a4758d575e17ffeab74a5ccb77a8f139577ee0513478704f6422a0543b73a4b5d
-
C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exeFilesize
5.8MB
MD59e28a598e94be94921938cb38162b5f5
SHA1d5255f860653112c66d6158a4cee6de51fd3cd0f
SHA256a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e
SHA5120cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430
-
C:\Users\Admin\AppData\Roaming\Redis\ntsmss.exeFilesize
5.8MB
MD59e28a598e94be94921938cb38162b5f5
SHA1d5255f860653112c66d6158a4cee6de51fd3cd0f
SHA256a503681d40c61ed77e36a2cc6dfa713744754a46907f6be4072e55f06cd4446e
SHA5120cd61bcc67371965708e924190271a2ca3da7838248aa38d8730c031c3e24ff2963063d9b25fd06f5ed702867ca7e834806ed723eee0aa41db3670d228325430
-
memory/552-146-0x0000000000000000-mapping.dmp
-
memory/1592-142-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/1592-132-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/1592-134-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/1592-133-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/2656-135-0x0000000000000000-mapping.dmp
-
memory/2744-162-0x0000000180000000-0x00000001800C2000-memory.dmpFilesize
776KB
-
memory/2744-164-0x0000000180000000-0x00000001800C2000-memory.dmpFilesize
776KB
-
memory/2744-160-0x0000000180000000-0x00000001800C2000-memory.dmpFilesize
776KB
-
memory/2744-150-0x0000000000000000-mapping.dmp
-
memory/3152-137-0x0000000000000000-mapping.dmp
-
memory/3800-136-0x0000000000000000-mapping.dmp
-
memory/3864-139-0x0000000000000000-mapping.dmp
-
memory/3864-145-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/3864-144-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/3864-143-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/3864-163-0x0000000000400000-0x000000000109F000-memory.dmpFilesize
12.6MB
-
memory/4036-149-0x0000000000000000-mapping.dmp
-
memory/4116-147-0x0000000000000000-mapping.dmp
-
memory/4184-148-0x0000000000000000-mapping.dmp
-
memory/4704-138-0x0000000000000000-mapping.dmp