c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be

Analysis

max time kernel
152s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
Size

122KB
MD5

a4cd16ba3f51b62eb9ae3ac906a0a217
SHA1

1472576b62096a1efe813d750d9a01b236744ccf
SHA256

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be
SHA512

7d507f4645b23c971ed2230149295852ad9657ac537895f558dfe364ca0304aad2e9bc16f59dfe023eafab802899dce14f493349f1d5cb9c8de0a4d8071bb8fc
SSDEEP

3072:TnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0kqC:TDn440zt46i4EruLorkr

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\??\c:\windows\ipv6netbrowssvc.dll	vmprotect
C:\Windows\IPv6NetBrowsSvc.dll	vmprotect
behavioral2/memory/1340-136-0x0000000000B80000-0x0000000000BBE000-memory.dmp	vmprotect
behavioral2/memory/1432-137-0x0000000074D40000-0x0000000074D7E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1432 svchost.exe

pid	process
1432	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

description	ioc	process
File created	C:\Windows\IPv6NetBrowsSvc.dll	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe

description	pid	process	target process
PID 1340 wrote to memory of 2628	1340	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe	cmd.exe
PID 1340 wrote to memory of 2628	1340	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe	cmd.exe
PID 1340 wrote to memory of 2628	1340	c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
"C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240564171.bat" "
2⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240564171.bat
Filesize
239B

MD5
a15d290b3309b3a213e7d8cedd69c80c

SHA1
425c7d8a947312e5a7c5488b3bc7164152c86302

SHA256
4e6945d142a9d540ab56bba8ad4ade40548419058ea99bb3f8a9ff2202463e1e

SHA512
fc2b24f7d6c2e29ba69f403bf29caffb727dcaee1634006f96d26da94738b28617bf4c992fb119145dae240bb9b3d3faac9a96fdf3ec012e4bcaa4882235ac6c

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll
Filesize
122KB

MD5
ec3ff629cffae31a51151e269616766e

SHA1
b9349c95ac65ddc2bb853bc901a2843a0c6fa3a1

SHA256
0960d99080a5f6cdc78df9c0459972492d76fa556cba54834bda00ba6a755517

SHA512
44b40fee331db75c8ebe10062813ce5777b97fb94e8c0c4322ff9ca978ab2b065ad6e77971f1325f1821bd4afa69fc0cba917009a44838940e586847e7991418

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll
Filesize
122KB

MD5
ec3ff629cffae31a51151e269616766e

SHA1
b9349c95ac65ddc2bb853bc901a2843a0c6fa3a1

SHA256
0960d99080a5f6cdc78df9c0459972492d76fa556cba54834bda00ba6a755517

SHA512
44b40fee331db75c8ebe10062813ce5777b97fb94e8c0c4322ff9ca978ab2b065ad6e77971f1325f1821bd4afa69fc0cba917009a44838940e586847e7991418

Download Submit
memory/1340-132-0x0000000000B81000-0x0000000000B84000-memory.dmp

Filesize
12KB

Download
memory/1340-136-0x0000000000B80000-0x0000000000BBE000-memory.dmp

Filesize
248KB

Download
memory/1432-135-0x0000000074D41000-0x0000000074D44000-memory.dmp

Filesize
12KB

Download
memory/1432-137-0x0000000074D40000-0x0000000074D7E000-memory.dmp

Filesize
248KB

Download
memory/2628-138-0x0000000000000000-mapping.dmp

Download