Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 04:49
Behavioral task
behavioral1
Sample
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
Resource
win10v2004-20221111-en
General
-
Target
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe
-
Size
106KB
-
MD5
3c8a36e0343d6a2af86560cba90095ea
-
SHA1
71fabc895b6036b5b4b2813138615e45b8e39717
-
SHA256
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7
-
SHA512
fa00ed8c141615e10bffa461be51479d0905f69fe084ea961f09824625729833ed1742eeb3215944ab57fdacf6bc3e4938868b4db9d53a97a7e7d331b273c7f7
-
SSDEEP
3072:7YBjzosGnQpOe237XE35XeE79enCiM5cEwDjAS+R:XsGQwb37XE3ZeykGnqES+R
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe -
Processes:
resource yara_rule behavioral2/memory/1124-132-0x0000000000120000-0x0000000000156000-memory.dmp vmprotect \??\c:\windows\ipv6netbrowssvc.dll vmprotect C:\Windows\IPv6NetBrowsSvc.dll vmprotect behavioral2/memory/4992-137-0x0000000074D20000-0x0000000074D56000-memory.dmp vmprotect behavioral2/memory/1124-139-0x0000000000120000-0x0000000000156000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4992 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exedescription pid process target process PID 1124 wrote to memory of 4688 1124 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe cmd.exe PID 1124 wrote to memory of 4688 1124 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe cmd.exe PID 1124 wrote to memory of 4688 1124 0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe"C:\Users\Admin\AppData\Local\Temp\0c863e9e65cd0519860d4f39c32c58737f3e336d055a29afff8c4e84631685e7.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240550484.bat" "2⤵PID:4688
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc1⤵
- Loads dropped DLL
PID:4992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240550484.batFilesize
239B
MD599944b3683f56bb32a7156247e15451c
SHA188c3ee8e0279510f90e159f31afe40eb672bdb97
SHA256d4b369565b363f9261510d11e1837f4ac741b231b1f5b1016401bc4a5cc993a8
SHA512e984e7e9b5a8c3f2b69238043f76e1ac221046b5ac89a759e2543b07d71cdd4ea97d3bddc9e81b6fb0764f6e521bbe138ae7aace1d3e92d090991c9f3f1b531a
-
C:\Windows\IPv6NetBrowsSvc.dllFilesize
106KB
MD5111b9b44c7602f3c559d10bbcc6d988a
SHA1ca1fcf8475e37286ce06fd70c1c7296fa3543ab7
SHA256a5eaa380ab0c3706375d74a3cca49a0cedca5a5132ea829aacef8222c6c33ff2
SHA51210d8f2adb1b409adf177237de2b4311636498b148d92709a90fe4a28fd34ecdb17869fe6a16967255fdb264e476ce45f8bfdc9d4327d91fee6f352f08949f050
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
106KB
MD5111b9b44c7602f3c559d10bbcc6d988a
SHA1ca1fcf8475e37286ce06fd70c1c7296fa3543ab7
SHA256a5eaa380ab0c3706375d74a3cca49a0cedca5a5132ea829aacef8222c6c33ff2
SHA51210d8f2adb1b409adf177237de2b4311636498b148d92709a90fe4a28fd34ecdb17869fe6a16967255fdb264e476ce45f8bfdc9d4327d91fee6f352f08949f050
-
memory/1124-132-0x0000000000120000-0x0000000000156000-memory.dmpFilesize
216KB
-
memory/1124-133-0x0000000000121000-0x0000000000124000-memory.dmpFilesize
12KB
-
memory/1124-139-0x0000000000120000-0x0000000000156000-memory.dmpFilesize
216KB
-
memory/4688-138-0x0000000000000000-mapping.dmp
-
memory/4992-136-0x0000000074D21000-0x0000000074D24000-memory.dmpFilesize
12KB
-
memory/4992-137-0x0000000074D20000-0x0000000074D56000-memory.dmpFilesize
216KB