Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 08:44
Behavioral task
behavioral1
Sample
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
Resource
win10v2004-20221111-en
General
-
Target
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
-
Size
122KB
-
MD5
a4cd16ba3f51b62eb9ae3ac906a0a217
-
SHA1
1472576b62096a1efe813d750d9a01b236744ccf
-
SHA256
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be
-
SHA512
7d507f4645b23c971ed2230149295852ad9657ac537895f558dfe364ca0304aad2e9bc16f59dfe023eafab802899dce14f493349f1d5cb9c8de0a4d8071bb8fc
-
SSDEEP
3072:TnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0kqC:TDn440zt46i4EruLorkr
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe -
Processes:
resource yara_rule \??\c:\windows\ipv6netbrowssvc.dll vmprotect behavioral1/memory/288-59-0x0000000000210000-0x000000000024E000-memory.dmp vmprotect behavioral1/memory/876-61-0x0000000074DD0000-0x0000000074E0E000-memory.dmp vmprotect behavioral1/memory/876-62-0x0000000074DD0000-0x0000000074E0E000-memory.dmp vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription pid process target process PID 288 wrote to memory of 1952 288 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe PID 288 wrote to memory of 1952 288 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe PID 288 wrote to memory of 1952 288 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe PID 288 wrote to memory of 1952 288 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe"C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7069528.bat" "2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7069528.batFilesize
239B
MD5a15d290b3309b3a213e7d8cedd69c80c
SHA1425c7d8a947312e5a7c5488b3bc7164152c86302
SHA2564e6945d142a9d540ab56bba8ad4ade40548419058ea99bb3f8a9ff2202463e1e
SHA512fc2b24f7d6c2e29ba69f403bf29caffb727dcaee1634006f96d26da94738b28617bf4c992fb119145dae240bb9b3d3faac9a96fdf3ec012e4bcaa4882235ac6c
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
122KB
MD5ec3ff629cffae31a51151e269616766e
SHA1b9349c95ac65ddc2bb853bc901a2843a0c6fa3a1
SHA2560960d99080a5f6cdc78df9c0459972492d76fa556cba54834bda00ba6a755517
SHA51244b40fee331db75c8ebe10062813ce5777b97fb94e8c0c4322ff9ca978ab2b065ad6e77971f1325f1821bd4afa69fc0cba917009a44838940e586847e7991418
-
memory/288-54-0x0000000000211000-0x0000000000214000-memory.dmpFilesize
12KB
-
memory/288-56-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/288-59-0x0000000000210000-0x000000000024E000-memory.dmpFilesize
248KB
-
memory/876-57-0x0000000074DD1000-0x0000000074DD4000-memory.dmpFilesize
12KB
-
memory/876-61-0x0000000074DD0000-0x0000000074E0E000-memory.dmpFilesize
248KB
-
memory/876-62-0x0000000074DD0000-0x0000000074E0E000-memory.dmpFilesize
248KB
-
memory/1952-58-0x0000000000000000-mapping.dmp