62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d

Analysis

max time kernel
192s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe
Size

1.9MB
MD5

656ff6100f5064162e58d39e586449ec
SHA1

cdbc840ec9b424a4e5bdcab6ea38c561ac970aff
SHA256

62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d
SHA512

7702f6b7ec6883afe02b69f8a3445521b8065afe43ac2e7d3674f2446b13c1167c98bae16e4c24816d8f8d09b36dac7c01d98e717e48096ba0402b194a27ccc7
SSDEEP

49152:yB5CvLdIotFENfIrox2aktyTvrdWTnzsFkkJEtP:yB5uIozoxxkaR8tk4

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	4980	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3836	System_32.exe
1908	System_32.exe
3680	System_32.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1096	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
3836	System_32.exe
1908	System_32.exe
3680	System_32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Windows32\\System_32.exe"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Config.xml	System_32.exe
File created	C:\Windows\SysWOW64\Config.xml	System_32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1832	timeout.exe
4436	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe
3836	System_32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	System_32.exe
Token: SeTcbPrivilege	1908	System_32.exe
Token: SeTcbPrivilege	3836	System_32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1056	4932	62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe	78
PID 4932 wrote to memory of 1056	4932	62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe	78
PID 4932 wrote to memory of 1056	4932	62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe	78
PID 1056 wrote to memory of 5108	1056	WScript.exe	79
PID 1056 wrote to memory of 5108	1056	WScript.exe	79
PID 1056 wrote to memory of 5108	1056	WScript.exe	79
PID 5108 wrote to memory of 1096	5108	cmd.exe	81
PID 5108 wrote to memory of 1096	5108	cmd.exe	81
PID 5108 wrote to memory of 1096	5108	cmd.exe	81
PID 5108 wrote to memory of 1344	5108	cmd.exe	82
PID 5108 wrote to memory of 1344	5108	cmd.exe	82
PID 5108 wrote to memory of 1344	5108	cmd.exe	82
PID 5108 wrote to memory of 3836	5108	cmd.exe	83
PID 5108 wrote to memory of 3836	5108	cmd.exe	83
PID 5108 wrote to memory of 3836	5108	cmd.exe	83
PID 5108 wrote to memory of 4436	5108	cmd.exe	84
PID 5108 wrote to memory of 4436	5108	cmd.exe	84
PID 5108 wrote to memory of 4436	5108	cmd.exe	84
PID 5108 wrote to memory of 228	5108	cmd.exe	85
PID 5108 wrote to memory of 228	5108	cmd.exe	85
PID 5108 wrote to memory of 228	5108	cmd.exe	85
PID 5108 wrote to memory of 4980	5108	cmd.exe	86
PID 5108 wrote to memory of 4980	5108	cmd.exe	86
PID 5108 wrote to memory of 4980	5108	cmd.exe	86
PID 1908 wrote to memory of 3680	1908	System_32.exe	88
PID 1908 wrote to memory of 3680	1908	System_32.exe	88
PID 1908 wrote to memory of 3680	1908	System_32.exe	88
PID 5108 wrote to memory of 1832	5108	cmd.exe	89
PID 5108 wrote to memory of 1832	5108	cmd.exe	89
PID 5108 wrote to memory of 1832	5108	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe
"C:\Users\Admin\AppData\Local\Temp\62239de63addc1dbbd4ebfb44432386fe84e81070d4dd838ef9325a1a8ae7f6d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\321\i.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\321\test.bat" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Allow Example" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe"
      4⤵
      Modifies Windows Firewall
      PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe" /f
      4⤵
      Adds Run key to start application
      PID:1344
  - - C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe
      System_32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3836
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 9 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4436
  - - C:\Windows\SysWOW64\mode.com
      mode con codepage select=1251
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
      4⤵
      Blocklisted process makes network request
      PID:4980
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 6 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1832

C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe
C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe
  "C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.vbs

Filesize
1KB

MD5
3fa58e2a1ac79c82bd987aedf5ca2f5e

SHA1
783ac677d6e1939a16cc0e6eab6450fc54e37ddc

SHA256
112dec62b0c5b6bd0dd750f141cde53a7d197af19a9deeb8aeda5a12e875ad0c

SHA512
22c81f5cd23223cf7f55dab2e7459414c2a374b1032e411d9fb7fc94e3a2c9c8fa41b63a1e411b473fdb5a496f29385f1f3d4e1bc823f9370e84f656fb8ecdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\321\Config.xml

Filesize
15KB

MD5
e5474d39c71380cf2aeb374d5a96dab8

SHA1
5dfcd4d96c01b8663d52cebe8049b5abb98b04a7

SHA256
cbecb82d2ea8bf5da6aa65a961d46d69a4db1682bd00f98a48ff4932e7d8f474

SHA512
a72431c4de09e1363928ade9b90fccff8258dcdee770f2055c2ec9a77e5bfc1c8bd9585f992c78399a08bd84ca033d9fa34d48262ae4a62691f41b185709cfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\321\System_32.exe

Filesize
4.1MB

MD5
d51cd9fa9fee08619a52a68035fbf350

SHA1
e7638a8d2eed191999b0d75ef9cf96d30d46b058

SHA256
48acb3b54965b1e2dfa3083403ae90b38041e5cce41096feedb4d711bba6999c

SHA512
788862671daf177828f6cf4db27b50f5f1320b950c740157c752246746a9adacee1d008a399c40fa92f95f6a430303da875f8582664bb747dcec12c4df79b614

Download Submit
C:\Users\Admin\AppData\Local\Temp\321\i.vbs

Filesize
195B

MD5
976480249873c2b32890d9fdc92376e2

SHA1
253027b2c27f74484809f16366ce919ecfd7b3e1

SHA256
1e26676b73888f75ba9572adba409153b3aa88a7921eb46cd625b1371e8fd8c2

SHA512
b8d77811777f0894f7dafa5917c5d4e8758b4475d9072795e4922e2681e440258049e93cdc8ddd7be641704808f54e65d019a93da968f3af3dbb2727c20fa4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\321\msimg32.dll

Filesize
81KB

MD5
8e48c5ebfb772533cac6b3c38da1eab6

SHA1
d78fbeb809c4873bde609b5f84b526039151d109

SHA256
24d0701735b96395ad156805e85f59e0bc4db71f0402491dcba1babf20f95613

SHA512
04a837fd0353bf90292acf9734c0fc860839af289f279706f1c3b8f0e7a77c8a15b02bd169d828c056be152f9fd84fb287fb34e90309b086dcbfab848dd63fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\321\test.bat

Filesize
39KB

MD5
7060a7d71e00ef187b478ef1c159eaf3

SHA1
9dfe3e5e70f69438c15bbcd32b9813ba27b93876

SHA256
5ce9d520c777f69978fd7bdd49b800f60e1fe2ef3ab1214c82b71567fe0537b8

SHA512
a5a567e1391ecc04f389c9a4f5f45c1122b77d0a0fcaa1c7dba5699e8f94e041fb7d42c7753b416603d01336eee0b80360f5eda2caf2da324d4ba72ed4d6efaa

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\ROMServerLite123.txt

Filesize
5B

MD5
584da0a485f209242059e6de66aac904

SHA1
0250a7b095bc6a969adbe25de14d23c4224d37c3

SHA256
01f9bf4bb49ac52d7d7a7d61f79e51c2cba94c5f75e034143ea614f0d87b929c

SHA512
c44088e8f19a177b9f47f0c8f0e1c86083a0b9dbc61f4fb4faa104be1b978ac75d037e6aa0cb4de577cea01b118f3d202659b8501948d7a539f2e13d6d0fe4f4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe

Filesize
4.1MB

MD5
d51cd9fa9fee08619a52a68035fbf350

SHA1
e7638a8d2eed191999b0d75ef9cf96d30d46b058

SHA256
48acb3b54965b1e2dfa3083403ae90b38041e5cce41096feedb4d711bba6999c

SHA512
788862671daf177828f6cf4db27b50f5f1320b950c740157c752246746a9adacee1d008a399c40fa92f95f6a430303da875f8582664bb747dcec12c4df79b614

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe

Filesize
4.1MB

MD5
d51cd9fa9fee08619a52a68035fbf350

SHA1
e7638a8d2eed191999b0d75ef9cf96d30d46b058

SHA256
48acb3b54965b1e2dfa3083403ae90b38041e5cce41096feedb4d711bba6999c

SHA512
788862671daf177828f6cf4db27b50f5f1320b950c740157c752246746a9adacee1d008a399c40fa92f95f6a430303da875f8582664bb747dcec12c4df79b614

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\System_32.exe

Filesize
4.1MB

MD5
d51cd9fa9fee08619a52a68035fbf350

SHA1
e7638a8d2eed191999b0d75ef9cf96d30d46b058

SHA256
48acb3b54965b1e2dfa3083403ae90b38041e5cce41096feedb4d711bba6999c

SHA512
788862671daf177828f6cf4db27b50f5f1320b950c740157c752246746a9adacee1d008a399c40fa92f95f6a430303da875f8582664bb747dcec12c4df79b614

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\msimg32.dll

Filesize
81KB

MD5
8e48c5ebfb772533cac6b3c38da1eab6

SHA1
d78fbeb809c4873bde609b5f84b526039151d109

SHA256
24d0701735b96395ad156805e85f59e0bc4db71f0402491dcba1babf20f95613

SHA512
04a837fd0353bf90292acf9734c0fc860839af289f279706f1c3b8f0e7a77c8a15b02bd169d828c056be152f9fd84fb287fb34e90309b086dcbfab848dd63fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\msimg32.dll

Filesize
81KB

MD5
8e48c5ebfb772533cac6b3c38da1eab6

SHA1
d78fbeb809c4873bde609b5f84b526039151d109

SHA256
24d0701735b96395ad156805e85f59e0bc4db71f0402491dcba1babf20f95613

SHA512
04a837fd0353bf90292acf9734c0fc860839af289f279706f1c3b8f0e7a77c8a15b02bd169d828c056be152f9fd84fb287fb34e90309b086dcbfab848dd63fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows32\msimg32.dll

Filesize
81KB

MD5
8e48c5ebfb772533cac6b3c38da1eab6

SHA1
d78fbeb809c4873bde609b5f84b526039151d109

SHA256
24d0701735b96395ad156805e85f59e0bc4db71f0402491dcba1babf20f95613

SHA512
04a837fd0353bf90292acf9734c0fc860839af289f279706f1c3b8f0e7a77c8a15b02bd169d828c056be152f9fd84fb287fb34e90309b086dcbfab848dd63fc6

Download Submit