Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
Resource
win10v2004-20221111-en
General
-
Target
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
-
Size
283KB
-
MD5
2fd3124d005d926474b37989e761b5d7
-
SHA1
7672db2950da80660eb40e5715c42b6a0d55cff8
-
SHA256
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
-
SHA512
cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
SSDEEP
6144:Ty2np1+qX4GIELmfaPPeSm/FGPOG/bKux27:Ty2nP+qX43E6CPPeSmGpxc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2972 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1828 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe 2972 svhost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: 33 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeIncBasePriorityPrivilege 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: 33 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeIncBasePriorityPrivilege 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeDebugPrivilege 2972 svhost.exe Token: 33 2972 svhost.exe Token: SeIncBasePriorityPrivilege 2972 svhost.exe Token: 33 2972 svhost.exe Token: SeIncBasePriorityPrivilege 2972 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 60 wrote to memory of 2972 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 84 PID 60 wrote to memory of 2972 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 84 PID 60 wrote to memory of 2972 60 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 84 PID 2972 wrote to memory of 1828 2972 svhost.exe 85 PID 2972 wrote to memory of 1828 2972 svhost.exe 85 PID 2972 wrote to memory of 1828 2972 svhost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe"C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1828
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec