Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 08:59
Static task
static1
Behavioral task
behavioral1
Sample
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
Resource
win10v2004-20220901-en
General
-
Target
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
-
Size
2.1MB
-
MD5
459c65a890bd3c0f52be76b859ede9b9
-
SHA1
b451cd2a3f1dfcc6cf54cb7d70d77026a7e657cc
-
SHA256
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b
-
SHA512
6e02c8950c464df02b180206def791e4a95a1029a355125fdde0dbde6345efad8ef6ae03a24a5fd93a465c538f3d4d49df09599d91ee299f4caebaf0d891e151
-
SSDEEP
49152:xnI+3haRPkfiaYeSqVKGPzReJ6xXxaEcT9Y:p3haRU7VL9eUkv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exe96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 308 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exepid process 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exedescription pid process Token: SeDebugPrivilege 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe Token: 33 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe Token: SeIncBasePriorityPrivilege 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.execmd.exewscript.execmd.execmd.exedescription pid process target process PID 5016 wrote to memory of 1804 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 1804 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 1804 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 1804 wrote to memory of 528 1804 cmd.exe wscript.exe PID 1804 wrote to memory of 528 1804 cmd.exe wscript.exe PID 1804 wrote to memory of 528 1804 cmd.exe wscript.exe PID 5016 wrote to memory of 4300 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe svhost.exe PID 5016 wrote to memory of 4300 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe svhost.exe PID 5016 wrote to memory of 4300 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe svhost.exe PID 528 wrote to memory of 1688 528 wscript.exe cmd.exe PID 528 wrote to memory of 1688 528 wscript.exe cmd.exe PID 528 wrote to memory of 1688 528 wscript.exe cmd.exe PID 1688 wrote to memory of 2548 1688 cmd.exe reg.exe PID 1688 wrote to memory of 2548 1688 cmd.exe reg.exe PID 1688 wrote to memory of 2548 1688 cmd.exe reg.exe PID 5016 wrote to memory of 3584 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 3584 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 3584 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 2012 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 2012 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 5016 wrote to memory of 2012 5016 96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe cmd.exe PID 3584 wrote to memory of 308 3584 cmd.exe timeout.exe PID 3584 wrote to memory of 308 3584 cmd.exe timeout.exe PID 3584 wrote to memory of 308 3584 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe"C:\Users\Admin\AppData\Local\Temp\96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svhostf\svhost1.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\svhostf\svhostvbs.vbs" "C:\Users\Admin\AppData\Roaming\svhostf\svhost2.bat"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\svhostf\svhost2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\file.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FolderName\melt.batFilesize
120B
MD512d1029da36b488314dc35656866fca1
SHA1377a3158efed61429e5a134004fe0162490af548
SHA256c44934690180852dd7b6a3230eedb38624d2344b5a58be79b1d2884ade85abf7
SHA51247e6cddc99d615051c1a7b13c59bc595f2dce6441cc0d12dd47310e8ddc4a14a6f0e4f411fab25868588265b252e4f25e0f0cb4c990526e5bd644c15611b6f52
-
C:\Users\Admin\AppData\Roaming\FolderName\svhost.batFilesize
196B
MD5181947f11b6ff0823cb276d1be9c20d4
SHA19c9abb2c164f7fb86b1bc1baa56930033e24756f
SHA256664de7dcd9d4d660a229221649c99e9b0c2e475496cea7bc4aed0e51a97ccc1e
SHA512f043150d12dc52c7889ef6ee0ec8d1b111a4f54e62801c5804f42c645af57b0fbd757062a236c0da7402ee9ec7b83b9aeb4d49fe314b2fc03a1e3f5f689dbbbb
-
C:\Users\Admin\AppData\Roaming\svhostf\svhost1.batFilesize
77B
MD54d8611db3ae453d5d525a3fddb374566
SHA14ee9358a4fb6efd22c12d57c7c4ac1a9dcd5a138
SHA256812220adf3859abc78b9139496a6a303c43d73a14edc6936c555b98dfd199c88
SHA512ef7a3d54734f37ab23bfc04bfd79b2ee1325e1c6f4885f57163e7df235974d5c4a5ca91cdb01dedea65167a5e996bf53aaebc1d17ec559fb8b9587a42456bb28
-
C:\Users\Admin\AppData\Roaming\svhostf\svhost2.batFilesize
270B
MD58d6cc7f171b92e2d9fab4e6a6d176fbd
SHA119352999592f94e1e6afdbe6af198447481fc4fa
SHA25649812b971c53685525df0b4c072cbdbc816aeddb47a09e244a3417cbf903fb34
SHA51211933ecd91aaac2f87f824e00efeb217171fe94eceb3a3a560ab5e405c635a9660b00293711a38c5993233cca0cfa6c36fd72ea2beeca633c84502c0a97cefb3
-
C:\Users\Admin\AppData\Roaming\svhostf\svhostvbs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
memory/308-146-0x0000000000000000-mapping.dmp
-
memory/528-135-0x0000000000000000-mapping.dmp
-
memory/1688-139-0x0000000000000000-mapping.dmp
-
memory/1804-133-0x0000000000000000-mapping.dmp
-
memory/2012-143-0x0000000000000000-mapping.dmp
-
memory/2548-140-0x0000000000000000-mapping.dmp
-
memory/3584-142-0x0000000000000000-mapping.dmp
-
memory/4300-136-0x0000000000000000-mapping.dmp
-
memory/5016-144-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/5016-141-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/5016-132-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB