Analysis
-
max time kernel
181s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 12:32
Behavioral task
behavioral1
Sample
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe
Resource
win10v2004-20220812-en
General
-
Target
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe
-
Size
122KB
-
MD5
9af7d469610185bfa0d6b4e420339f4e
-
SHA1
1c51549da0de81a4bca01859323ce8c6d84d5c15
-
SHA256
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3
-
SHA512
b499d355ccb783213936a62b19a060a28dc141ddd5b5c0875837b7d13551990fb3368204d518f25834f3305aac7f5673d9cee4bba760853298eb490b155fabaf
-
SSDEEP
3072:bnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0kj:bDn440zt46i4EruLorkj
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe -
Processes:
resource yara_rule behavioral2/memory/5024-134-0x0000000000590000-0x00000000005CE000-memory.dmp vmprotect \??\c:\windows\ipv6netbrowssvc.dll vmprotect C:\Windows\IPv6NetBrowsSvc.dll vmprotect behavioral2/memory/2012-137-0x0000000075330000-0x000000007536E000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2012 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exedescription pid process target process PID 5024 wrote to memory of 4764 5024 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe cmd.exe PID 5024 wrote to memory of 4764 5024 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe cmd.exe PID 5024 wrote to memory of 4764 5024 5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe"C:\Users\Admin\AppData\Local\Temp\5a3ffc6a89772bf529cd4dd8df0ac340db29974f000120ccfab2b2ae267abbb3.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240596937.bat" "2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240596937.batFilesize
239B
MD5e79295a8ba3543bf6d83f719f04cecf5
SHA16d8b90be415574cf4595c85b37f893a7f3db43e7
SHA256a607d3b4eba492ee3b5ffe3aac905cbd630d941c030fb708564e1785c6b245b3
SHA5120031bd4e5f2406fbe4b40bfd1ed02f4dd6fe2e5399e518e522fc5e6259bd66103895cd85fac57c365aa78dde1b702f172f99d4e5494134c59193a821af0008a4
-
C:\Windows\IPv6NetBrowsSvc.dllFilesize
122KB
MD5f5c0cd8596067d010931807fe58b12b2
SHA141b1683201e8d2b8d75f373f70dfbe8da9a23c5d
SHA256dad6637987c41070b47175704fc4994f25bae0d6e7614dbc032ffc08d2eb5725
SHA512d824978060bfdadd7feb95b81d033599efadd034283d5cb464afeb546292043323d003ef51ad50910444e80988e9911b3a2eb8dacb2e9b007a1555d5a7c688c4
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
122KB
MD5f5c0cd8596067d010931807fe58b12b2
SHA141b1683201e8d2b8d75f373f70dfbe8da9a23c5d
SHA256dad6637987c41070b47175704fc4994f25bae0d6e7614dbc032ffc08d2eb5725
SHA512d824978060bfdadd7feb95b81d033599efadd034283d5cb464afeb546292043323d003ef51ad50910444e80988e9911b3a2eb8dacb2e9b007a1555d5a7c688c4
-
memory/2012-136-0x0000000075331000-0x0000000075334000-memory.dmpFilesize
12KB
-
memory/2012-137-0x0000000075330000-0x000000007536E000-memory.dmpFilesize
248KB
-
memory/4764-138-0x0000000000000000-mapping.dmp
-
memory/5024-132-0x0000000000591000-0x0000000000594000-memory.dmpFilesize
12KB
-
memory/5024-134-0x0000000000590000-0x00000000005CE000-memory.dmpFilesize
248KB