Analysis
-
max time kernel
168s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
Resource
win10v2004-20220812-en
General
-
Target
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe
-
Size
405KB
-
MD5
d8775c56e4abff4c1dca41368aa66ba0
-
SHA1
477211afcb62dc2626046e49aed123d6a23021bb
-
SHA256
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
-
SHA512
826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
SSDEEP
6144:xuFQFkp4C0AYXXuyhC0DPMH951CpSoIIZHm8odsjpwlqS+QUqYA0lxoir:xuFB4z+yhCGyr1CpBIIZHscxo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 876 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
svchost.exepid process 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe 876 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 876 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exesvchost.exedescription pid process target process PID 4900 wrote to memory of 876 4900 de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe svchost.exe PID 4900 wrote to memory of 876 4900 de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe svchost.exe PID 876 wrote to memory of 4764 876 svchost.exe netsh.exe PID 876 wrote to memory of 4764 876 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe"C:\Users\Admin\AppData\Local\Temp\de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
405KB
MD5d8775c56e4abff4c1dca41368aa66ba0
SHA1477211afcb62dc2626046e49aed123d6a23021bb
SHA256de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
SHA512826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
405KB
MD5d8775c56e4abff4c1dca41368aa66ba0
SHA1477211afcb62dc2626046e49aed123d6a23021bb
SHA256de6c4e58cbab00c80e56b196a0e6197e5ba71bbd5c24e70cecc762ce2b84fbeb
SHA512826057d35ed4979f7bfb607cb5da47e901c4da8162c28974fc09a9774918c68821a4f487d2869e280327c78f6584e3b121c1191dd0117d86249cd7af1e766fe0
-
memory/876-134-0x0000000000000000-mapping.dmp
-
memory/876-139-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmpFilesize
10.8MB
-
memory/876-140-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmpFilesize
10.8MB
-
memory/4764-138-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x00000000001F0000-0x000000000025C000-memory.dmpFilesize
432KB
-
memory/4900-133-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmpFilesize
10.8MB
-
memory/4900-137-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmpFilesize
10.8MB