Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 10:38
Static task
static1
Behavioral task
behavioral1
Sample
b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe
Resource
win10v2004-20220812-en
General
-
Target
b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe
-
Size
1.5MB
-
MD5
d672a417c1bb5b2255674f43d53509b1
-
SHA1
53d4553dc3ca8f1cb8bdbd039c7fa7a9567add97
-
SHA256
b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d
-
SHA512
150bbf0ac6029f9a208912a4b74cead7b57ae6c0a234d487ef969e831b401f84e24a1046bbc982ae93d6a98d90905e8d2596862152ff9b745213e09520fd5ba1
-
SSDEEP
24576:Hpa/O74CNt3r2J2FC3eUldZUJ3OlKU4UDcc6Cy+9eG:wcZC35VcOcmDcc6Cd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{760145EF-8F05-46A0-BFE7-61A4BD11A4F2}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9C50BED4-4053-4693-A89B-980CB40086C8}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3204 PING.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1824 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 1824 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 1824 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 1824 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 1824 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1544 wrote to memory of 3928 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 75 PID 1544 wrote to memory of 3928 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 75 PID 1544 wrote to memory of 3928 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 75 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 1544 wrote to memory of 1824 1544 b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe 76 PID 3928 wrote to memory of 3204 3928 cmd.exe 78 PID 3928 wrote to memory of 3204 3928 cmd.exe 78 PID 3928 wrote to memory of 3204 3928 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -c 5 8.8.8.82⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\PING.EXEping -c 5 8.8.8.83⤵
- Runs ping.exe
PID:3204
-
-
-
C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"C:\Users\Admin\AppData\Local\Temp\b0a487a0685a354c50ed08a7a243c8b55fb7822017884d05ff4237f5ef1dd51d.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:256