0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
Size

106KB
MD5

3c8a36e0343d6a2af86560cba90095ea
SHA1

71fabc895b6036b5b4b2813138615e45b8e39717
SHA256

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7
SHA512

fa00ed8c141615e10bffa461be51479d0905f69fe084ea961f09824625729833ed1742eeb3215944ab57fdacf6bc3e4938868b4db9d53a97a7e7d331b273c7f7
SSDEEP

3072:7YBjzosGnQpOe237XE35XeE79enCiM5cEwDjAS+R:XsGQwb37XE3ZeykGnqES+R

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1124-132-0x0000000000120000-0x0000000000156000-memory.dmp	vmprotect
\??\c:\windows\ipv6netbrowssvc.dll	vmprotect
C:\Windows\IPv6NetBrowsSvc.dll	vmprotect
behavioral2/memory/4992-137-0x0000000074D20000-0x0000000074D56000-memory.dmp	vmprotect
behavioral2/memory/1124-139-0x0000000000120000-0x0000000000156000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4992 svchost.exe

pid	process
4992	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

description	ioc	process
File created	C:\Windows\IPv6NetBrowsSvc.dll	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe

description	pid	process	target process
PID 1124 wrote to memory of 4688	1124	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe	cmd.exe
PID 1124 wrote to memory of 4688	1124	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe	cmd.exe
PID 1124 wrote to memory of 4688	1124	0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
"C:\Users\Admin\AppData\Local\Temp\0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240550484.bat" "
2⤵
PID:4688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240550484.bat
Filesize
239B

MD5
99944b3683f56bb32a7156247e15451c

SHA1
88c3ee8e0279510f90e159f31afe40eb672bdb97

SHA256
d4b369565b363f9261510d11e1837f4ac741b231b1f5b1016401bc4a5cc993a8

SHA512
e984e7e9b5a8c3f2b69238043f76e1ac221046b5ac89a759e2543b07d71cdd4ea97d3bddc9e81b6fb0764f6e521bbe138ae7aace1d3e92d090991c9f3f1b531a

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll
Filesize
106KB

MD5
111b9b44c7602f3c559d10bbcc6d988a

SHA1
ca1fcf8475e37286ce06fd70c1c7296fa3543ab7

SHA256
a5eaa380ab0c3706375d74a3cca49a0cedca5a5132ea829aacef8222c6c33ff2

SHA512
10d8f2adb1b409adf177237de2b4311636498b148d92709a90fe4a28fd34ecdb17869fe6a16967255fdb264e476ce45f8bfdc9d4327d91fee6f352f08949f050

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll
Filesize
106KB

MD5
111b9b44c7602f3c559d10bbcc6d988a

SHA1
ca1fcf8475e37286ce06fd70c1c7296fa3543ab7

SHA256
a5eaa380ab0c3706375d74a3cca49a0cedca5a5132ea829aacef8222c6c33ff2

SHA512
10d8f2adb1b409adf177237de2b4311636498b148d92709a90fe4a28fd34ecdb17869fe6a16967255fdb264e476ce45f8bfdc9d4327d91fee6f352f08949f050

Download Submit
memory/1124-132-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1124-133-0x0000000000121000-0x0000000000124000-memory.dmp

Filesize
12KB

Download
memory/1124-139-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/4688-138-0x0000000000000000-mapping.dmp

Download
memory/4992-136-0x0000000074D21000-0x0000000074D24000-memory.dmp

Filesize
12KB

Download
memory/4992-137-0x0000000074D20000-0x0000000074D56000-memory.dmp

Filesize
216KB

Download