9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe
Size

119KB
MD5

e1dee1860541daace30226cc7713af59
SHA1

11019d87f2ec831990ca224625ce0a73bb20971d
SHA256

9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e
SHA512

cc6d258e56f0f58a0e55d367e79d51a36dd50b8c91fb71b1a83820900848cad74adbc516d4e31c5f850934a842da9790e439c64cdbf6f5daf98992f16c4152d8
SSDEEP

3072:WgXdZt9P6D3XJt45i/WMGBBwI2Tf6uvlMAqDXlB8tapZ:We343v3GBBwIpUeXctSZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3444	shut.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\shut\English.ini	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe
File created	C:\Program Files (x86)\shut\shut1.exe	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe
File created	C:\Program Files (x86)\shut\shut.exe	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3444	shut.exe
3444	shut.exe
3444	shut.exe
3444	shut.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3444	1832	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe	83
PID 1832 wrote to memory of 3444	1832	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe	83
PID 1832 wrote to memory of 3444	1832	9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe	83

C:\Users\Admin\AppData\Local\Temp\9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe
"C:\Users\Admin\AppData\Local\Temp\9729fc0fbd9f4d852a3b8ce4bdf4a597d975157c0e630f369ba59d1b54103d3e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\shut\shut.exe
  "C:\Program Files (x86)\shut\shut.exe" SW_HIDE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\shut\shut.exe

Filesize
92KB

MD5
9d56a539ecb5589819130db0c2971d49

SHA1
7adb837181e4cf8716a1d58e16872c7d2e1bc60b

SHA256
17937d378e9cee5c9cd4412d812465c2fea3de172885b922e57207664b1e0078

SHA512
5024bee06fbb3d2b21ee9234b15c707d89b570416d3bfd07d9beb60046ba8dbcc3abcd5ef1318fc293565c1eb42c0da83255d7bad72085ada609d4147c8966ef

Download Submit
C:\Program Files (x86)\shut\shut.exe

Filesize
92KB

MD5
9d56a539ecb5589819130db0c2971d49

SHA1
7adb837181e4cf8716a1d58e16872c7d2e1bc60b

SHA256
17937d378e9cee5c9cd4412d812465c2fea3de172885b922e57207664b1e0078

SHA512
5024bee06fbb3d2b21ee9234b15c707d89b570416d3bfd07d9beb60046ba8dbcc3abcd5ef1318fc293565c1eb42c0da83255d7bad72085ada609d4147c8966ef

Download Submit