Analysis
-
max time kernel
205s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 14:20
Static task
static1
Behavioral task
behavioral1
Sample
89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe
Resource
win10v2004-20221111-en
General
-
Target
89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe
-
Size
636KB
-
MD5
c9ffc3cf9644b18d3b9177f3538d5777
-
SHA1
4b07b514e46bdc9d1b7a4d141972390db368b5f0
-
SHA256
89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33
-
SHA512
8c79fe2a251d2baa6b2d7eb8bbc99ea8112e44e4cabf8083cb3a762b03cc75c635927f2652ea48aaa2f2d57d1b472a612157c897c660f5e5efa6991396031109
-
SSDEEP
12288:P3N7+8qyRWMzSfXPzwDevratVILPqbP/E:PkRp4Snz7atVpP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts system.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe -
Executes dropped EXE 3 IoCs
pid Process 3992 system.exe 5096 system.exe 456 system.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 420 set thread context of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 3992 set thread context of 456 3992 system.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 3992 system.exe 3992 system.exe 3992 system.exe 3992 system.exe 3992 system.exe 3992 system.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe Token: SeDebugPrivilege 3992 system.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3484 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 420 wrote to memory of 2940 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 88 PID 420 wrote to memory of 2940 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 88 PID 420 wrote to memory of 2940 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 88 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 420 wrote to memory of 3484 420 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 89 PID 3484 wrote to memory of 3992 3484 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 95 PID 3484 wrote to memory of 3992 3484 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 95 PID 3484 wrote to memory of 3992 3484 89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe 95 PID 3992 wrote to memory of 5096 3992 system.exe 97 PID 3992 wrote to memory of 5096 3992 system.exe 97 PID 3992 wrote to memory of 5096 3992 system.exe 97 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98 PID 3992 wrote to memory of 456 3992 system.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"2⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"C:\Users\Admin\AppData\Local\Temp\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\ProgramData\502970\system.exe"C:\ProgramData\502970\system.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\ProgramData\502970\system.exe"C:\ProgramData\502970\system.exe"4⤵
- Executes dropped EXE
PID:5096
-
-
C:\ProgramData\502970\system.exe"C:\ProgramData\502970\system.exe"4⤵
- Executes dropped EXE
PID:456
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5c9ffc3cf9644b18d3b9177f3538d5777
SHA14b07b514e46bdc9d1b7a4d141972390db368b5f0
SHA25689e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33
SHA5128c79fe2a251d2baa6b2d7eb8bbc99ea8112e44e4cabf8083cb3a762b03cc75c635927f2652ea48aaa2f2d57d1b472a612157c897c660f5e5efa6991396031109
-
Filesize
636KB
MD5c9ffc3cf9644b18d3b9177f3538d5777
SHA14b07b514e46bdc9d1b7a4d141972390db368b5f0
SHA25689e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33
SHA5128c79fe2a251d2baa6b2d7eb8bbc99ea8112e44e4cabf8083cb3a762b03cc75c635927f2652ea48aaa2f2d57d1b472a612157c897c660f5e5efa6991396031109
-
Filesize
636KB
MD5c9ffc3cf9644b18d3b9177f3538d5777
SHA14b07b514e46bdc9d1b7a4d141972390db368b5f0
SHA25689e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33
SHA5128c79fe2a251d2baa6b2d7eb8bbc99ea8112e44e4cabf8083cb3a762b03cc75c635927f2652ea48aaa2f2d57d1b472a612157c897c660f5e5efa6991396031109
-
Filesize
636KB
MD5c9ffc3cf9644b18d3b9177f3538d5777
SHA14b07b514e46bdc9d1b7a4d141972390db368b5f0
SHA25689e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33
SHA5128c79fe2a251d2baa6b2d7eb8bbc99ea8112e44e4cabf8083cb3a762b03cc75c635927f2652ea48aaa2f2d57d1b472a612157c897c660f5e5efa6991396031109
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\89e8dbf09685f9de65e186fd7487374b7f081dbbbca86360a9047fb334235c33.exe.log
Filesize400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
Filesize
2KB
MD51cca24ab81c8b433dbf256fb95564a26
SHA1565b8147705862cb0fff85591a48a9fa6859dc31
SHA256ca9af0bb473d3b51f7b47ddbd7ee75e8e88342ba35e169f3cd1666bf9176215a
SHA5123bc3179fcc8e74da763a42401fa8e99d33a1181fda8f8695c4394a2bcc54690dd85b9d4b9ea59bfc7ddfbd6f1f055179bf79a93919d1e384e16f28029ea3e839