Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
036de6e9928865caeced1bae00bdb55d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
036de6e9928865caeced1bae00bdb55d.exe
Resource
win10v2004-20221111-en
General
-
Target
036de6e9928865caeced1bae00bdb55d.exe
-
Size
96KB
-
MD5
036de6e9928865caeced1bae00bdb55d
-
SHA1
27b92bbc3cb16d06e645438079f24787975d520f
-
SHA256
a894e6dfcccc7112d8cab766fe285f2e45bf5d38021413b0e4ca1e9eb5992c48
-
SHA512
9bd1d4624d2fcda393c69b1e6dac21071ccdf3ea24c22e8b94a475a56131008f14acba099256fd59ceacd81e87c3d43d2e5f2d4966f7d9021b641b6c47af5adf
-
SSDEEP
1536:xfw6ygq47NGW9CgD4Vw8w28Dxv5s3wOXGpx/9l/7RyVcTIuGeNjcfgfu6ls5hfLu:xfw6Pq47NGW9lD4Vw8w28Dxv5s1XM+cN
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Executes dropped EXE 2 IoCs
Processes:
scvhost.exewinmgmt.exepid process 4140 scvhost.exe 3672 winmgmt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
036de6e9928865caeced1bae00bdb55d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 036de6e9928865caeced1bae00bdb55d.exe -
Drops startup file 1 IoCs
Processes:
036de6e9928865caeced1bae00bdb55d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe 036de6e9928865caeced1bae00bdb55d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winmgmt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Management = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\winmgmt.exe" winmgmt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
036de6e9928865caeced1bae00bdb55d.exewinmgmt.exepid process 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 212 036de6e9928865caeced1bae00bdb55d.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe 3672 winmgmt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
036de6e9928865caeced1bae00bdb55d.exewinmgmt.exescvhost.exedescription pid process Token: SeDebugPrivilege 212 036de6e9928865caeced1bae00bdb55d.exe Token: SeDebugPrivilege 3672 winmgmt.exe Token: SeDebugPrivilege 4140 scvhost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
036de6e9928865caeced1bae00bdb55d.exescvhost.exewinmgmt.exedescription pid process target process PID 212 wrote to memory of 4568 212 036de6e9928865caeced1bae00bdb55d.exe reg.exe PID 212 wrote to memory of 4568 212 036de6e9928865caeced1bae00bdb55d.exe reg.exe PID 212 wrote to memory of 4568 212 036de6e9928865caeced1bae00bdb55d.exe reg.exe PID 212 wrote to memory of 4140 212 036de6e9928865caeced1bae00bdb55d.exe scvhost.exe PID 212 wrote to memory of 4140 212 036de6e9928865caeced1bae00bdb55d.exe scvhost.exe PID 212 wrote to memory of 4140 212 036de6e9928865caeced1bae00bdb55d.exe scvhost.exe PID 212 wrote to memory of 3672 212 036de6e9928865caeced1bae00bdb55d.exe winmgmt.exe PID 212 wrote to memory of 3672 212 036de6e9928865caeced1bae00bdb55d.exe winmgmt.exe PID 212 wrote to memory of 3672 212 036de6e9928865caeced1bae00bdb55d.exe winmgmt.exe PID 4140 wrote to memory of 3832 4140 scvhost.exe reg.exe PID 4140 wrote to memory of 3832 4140 scvhost.exe reg.exe PID 4140 wrote to memory of 3832 4140 scvhost.exe reg.exe PID 3672 wrote to memory of 1948 3672 winmgmt.exe reg.exe PID 3672 wrote to memory of 1948 3672 winmgmt.exe reg.exe PID 3672 wrote to memory of 1948 3672 winmgmt.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\036de6e9928865caeced1bae00bdb55d.exe"C:\Users\Admin\AppData\Local\Temp\036de6e9928865caeced1bae00bdb55d.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:4568 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:3832 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exeFilesize
96KB
MD5036de6e9928865caeced1bae00bdb55d
SHA127b92bbc3cb16d06e645438079f24787975d520f
SHA256a894e6dfcccc7112d8cab766fe285f2e45bf5d38021413b0e4ca1e9eb5992c48
SHA5129bd1d4624d2fcda393c69b1e6dac21071ccdf3ea24c22e8b94a475a56131008f14acba099256fd59ceacd81e87c3d43d2e5f2d4966f7d9021b641b6c47af5adf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exeFilesize
96KB
MD5036de6e9928865caeced1bae00bdb55d
SHA127b92bbc3cb16d06e645438079f24787975d520f
SHA256a894e6dfcccc7112d8cab766fe285f2e45bf5d38021413b0e4ca1e9eb5992c48
SHA5129bd1d4624d2fcda393c69b1e6dac21071ccdf3ea24c22e8b94a475a56131008f14acba099256fd59ceacd81e87c3d43d2e5f2d4966f7d9021b641b6c47af5adf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exeFilesize
96KB
MD5036de6e9928865caeced1bae00bdb55d
SHA127b92bbc3cb16d06e645438079f24787975d520f
SHA256a894e6dfcccc7112d8cab766fe285f2e45bf5d38021413b0e4ca1e9eb5992c48
SHA5129bd1d4624d2fcda393c69b1e6dac21071ccdf3ea24c22e8b94a475a56131008f14acba099256fd59ceacd81e87c3d43d2e5f2d4966f7d9021b641b6c47af5adf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmt.exeFilesize
96KB
MD5036de6e9928865caeced1bae00bdb55d
SHA127b92bbc3cb16d06e645438079f24787975d520f
SHA256a894e6dfcccc7112d8cab766fe285f2e45bf5d38021413b0e4ca1e9eb5992c48
SHA5129bd1d4624d2fcda393c69b1e6dac21071ccdf3ea24c22e8b94a475a56131008f14acba099256fd59ceacd81e87c3d43d2e5f2d4966f7d9021b641b6c47af5adf
-
memory/212-132-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/212-133-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/212-141-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1948-143-0x0000000000000000-mapping.dmp
-
memory/3672-138-0x0000000000000000-mapping.dmp
-
memory/3672-145-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/3672-147-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/3832-142-0x0000000000000000-mapping.dmp
-
memory/4140-135-0x0000000000000000-mapping.dmp
-
memory/4140-144-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4140-146-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4568-134-0x0000000000000000-mapping.dmp