1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe
Size

122KB
MD5

72590c771d1842eb9fbaaaf2cfcce75d
SHA1

8fd3f4061d936a08ef352f643ad2bd990e39543c
SHA256

1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af
SHA512

6e32d87bc3bbe319f50121776f38e432ef9ce9612ad33f943f7802b414950bb7244dd4bba4de47479533e69cbb7741408b8e30d6e9e09db148c926d0260fa272
SSDEEP

3072:AnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0kL:ADn440zt46i4EruLorkL

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0008000000022e06-133.dat	vmprotect
behavioral2/files/0x0008000000022e06-134.dat	vmprotect
behavioral2/memory/3696-136-0x00000000007B0000-0x00000000007EE000-memory.dmp	vmprotect
behavioral2/memory/4092-137-0x00000000759A0000-0x00000000759DE000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe

Loads dropped DLL 1 IoCs

pid	Process
4092	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IPv6NetBrowsSvc.dll	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1660	3696	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe	81
PID 3696 wrote to memory of 1660	3696	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe	81
PID 3696 wrote to memory of 1660	3696	1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe	81

C:\Users\Admin\AppData\Local\Temp\1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe
"C:\Users\Admin\AppData\Local\Temp\1138711bf5310003455f0d40bc44787c9bee97c8e9e83ae9fbd1af43c34744af.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240547859.bat" "
  2⤵
  PID:1660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240547859.bat

Filesize
239B

MD5
c15df4249a066c018d089e7c922a3a1b

SHA1
38feffa58adfe4875ddfe413166ff93f6e8501a1

SHA256
7031a7b1bde966284476258da2cb8923e61238fdc9b05aa46ed4bdbe16b6f279

SHA512
107c2e1163b0cc9a3b160755128a71706da9c25878a75e3bd150d8d758448549bb1ffeffe0918ec67d9ab224b5adb304d6739376803c5ec354ead2746adc0b14

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll

Filesize
122KB

MD5
d5b2a4b72b0a14da8fd71906c2e55e57

SHA1
54953ce2b33e22a63ca5b867d359fdab4e6c2e92

SHA256
5ccd025ff173bbd949287ef98b6ddb020ccdbac4e7706e8923b224d652c5d837

SHA512
2551c312d5c6a19844d538de007b0254d18c355fb99a5a64e21def9cad8b6847329da5c90b564f0fa92e101573ba602a406aab0d4e0fd158d528348bd69371c6

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll

Filesize
122KB

MD5
d5b2a4b72b0a14da8fd71906c2e55e57

SHA1
54953ce2b33e22a63ca5b867d359fdab4e6c2e92

SHA256
5ccd025ff173bbd949287ef98b6ddb020ccdbac4e7706e8923b224d652c5d837

SHA512
2551c312d5c6a19844d538de007b0254d18c355fb99a5a64e21def9cad8b6847329da5c90b564f0fa92e101573ba602a406aab0d4e0fd158d528348bd69371c6

Download Submit
memory/3696-132-0x00000000007B1000-0x00000000007B4000-memory.dmp

Filesize
12KB

Download
memory/3696-136-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/4092-135-0x00000000759A1000-0x00000000759A4000-memory.dmp

Filesize
12KB

Download
memory/4092-137-0x00000000759A0000-0x00000000759DE000-memory.dmp

Filesize
248KB

Download