Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:59
Behavioral task
behavioral1
Sample
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe
Resource
win10v2004-20220901-en
General
-
Target
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe
-
Size
30KB
-
MD5
5fcdd3650009a565f795bc12d0adc5a8
-
SHA1
66a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
-
SHA256
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
-
SHA512
5395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
SSDEEP
384:xNG9iDrHrbJ6kA6g8tOpaz5pHEdKw/8aUZJfcKMr57WiEIxgE26PaMUbiQvIw7Do:PJA69J5JSn7gigKUbTD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4800 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
svhost.exepid process 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe 4800 svhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svhost.exedescription pid process Token: SeDebugPrivilege 4800 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exesvhost.exedescription pid process target process PID 4880 wrote to memory of 4800 4880 d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe svhost.exe PID 4880 wrote to memory of 4800 4880 d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe svhost.exe PID 4880 wrote to memory of 4800 4880 d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe svhost.exe PID 4800 wrote to memory of 1476 4800 svhost.exe netsh.exe PID 4800 wrote to memory of 1476 4800 svhost.exe netsh.exe PID 4800 wrote to memory of 1476 4800 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe"C:\Users\Admin\AppData\Local\Temp\d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD55fcdd3650009a565f795bc12d0adc5a8
SHA166a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
SHA256d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
SHA5125395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
30KB
MD55fcdd3650009a565f795bc12d0adc5a8
SHA166a5a4ee24e9eadfd02605b6a2e80b89027b4bdc
SHA256d6292ffdb4fa80ec04e6ebd87f416da5521545fa200e7dfbcb636d8a323f9ed3
SHA5125395db318cc5f64b73b5bb37b041fa3a7e787cecabe1fd6f5b5712f0891ed404068ce40973f946ad50f5e6d8aa627373a28c2141b715cd19905e2c276a5aa4ad
-
memory/1476-136-0x0000000000000000-mapping.dmp
-
memory/4800-133-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4800-139-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4880-132-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4880-137-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB