Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 08:44
Behavioral task
behavioral1
Sample
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
Resource
win10v2004-20221111-en
General
-
Target
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe
-
Size
122KB
-
MD5
a4cd16ba3f51b62eb9ae3ac906a0a217
-
SHA1
1472576b62096a1efe813d750d9a01b236744ccf
-
SHA256
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be
-
SHA512
7d507f4645b23c971ed2230149295852ad9657ac537895f558dfe364ca0304aad2e9bc16f59dfe023eafab802899dce14f493349f1d5cb9c8de0a4d8071bb8fc
-
SSDEEP
3072:TnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0kqC:TDn440zt46i4EruLorkr
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe -
Processes:
resource yara_rule \??\c:\windows\ipv6netbrowssvc.dll vmprotect C:\Windows\IPv6NetBrowsSvc.dll vmprotect behavioral2/memory/1340-136-0x0000000000B80000-0x0000000000BBE000-memory.dmp vmprotect behavioral2/memory/1432-137-0x0000000074D40000-0x0000000074D7E000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1432 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exedescription pid process target process PID 1340 wrote to memory of 2628 1340 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe PID 1340 wrote to memory of 2628 1340 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe PID 1340 wrote to memory of 2628 1340 c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe"C:\Users\Admin\AppData\Local\Temp\c31a8d3b14394c36c39e4095d049a3404c835879559467d2a0c58b344104b4be.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240564171.bat" "2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240564171.batFilesize
239B
MD5a15d290b3309b3a213e7d8cedd69c80c
SHA1425c7d8a947312e5a7c5488b3bc7164152c86302
SHA2564e6945d142a9d540ab56bba8ad4ade40548419058ea99bb3f8a9ff2202463e1e
SHA512fc2b24f7d6c2e29ba69f403bf29caffb727dcaee1634006f96d26da94738b28617bf4c992fb119145dae240bb9b3d3faac9a96fdf3ec012e4bcaa4882235ac6c
-
C:\Windows\IPv6NetBrowsSvc.dllFilesize
122KB
MD5ec3ff629cffae31a51151e269616766e
SHA1b9349c95ac65ddc2bb853bc901a2843a0c6fa3a1
SHA2560960d99080a5f6cdc78df9c0459972492d76fa556cba54834bda00ba6a755517
SHA51244b40fee331db75c8ebe10062813ce5777b97fb94e8c0c4322ff9ca978ab2b065ad6e77971f1325f1821bd4afa69fc0cba917009a44838940e586847e7991418
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
122KB
MD5ec3ff629cffae31a51151e269616766e
SHA1b9349c95ac65ddc2bb853bc901a2843a0c6fa3a1
SHA2560960d99080a5f6cdc78df9c0459972492d76fa556cba54834bda00ba6a755517
SHA51244b40fee331db75c8ebe10062813ce5777b97fb94e8c0c4322ff9ca978ab2b065ad6e77971f1325f1821bd4afa69fc0cba917009a44838940e586847e7991418
-
memory/1340-132-0x0000000000B81000-0x0000000000B84000-memory.dmpFilesize
12KB
-
memory/1340-136-0x0000000000B80000-0x0000000000BBE000-memory.dmpFilesize
248KB
-
memory/1432-135-0x0000000074D41000-0x0000000074D44000-memory.dmpFilesize
12KB
-
memory/1432-137-0x0000000074D40000-0x0000000074D7E000-memory.dmpFilesize
248KB
-
memory/2628-138-0x0000000000000000-mapping.dmp