Overview

overview

10

Static

static

021c586a2c...c0.exe

windows7-x64

10

021c586a2c...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0.exe

  • Size

    68KB

  • MD5

    a104334f091fba128807dcf115819720

  • SHA1

    ab4dee275193e7a0f2a19f71cfc6d0f69692f424

  • SHA256

    021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0

  • SHA512

    bda7359cc600a26a40f252ff52f36a83605de71adef15c87c4a0fb4cfb5d2f2b1ae633b4549aceaedfa6a69101bdab32571bea2eb283f553a14ae2faf036e34e

  • SSDEEP

    768:rdsv/UDO00cfykvw8qqOve3ZVrt2F0mv9PIKr5LQ6hZDyVYUv5m/668OWQHYNnds:qeO00cdVrMFjdF5L7hov5Ex4Br+KkCKT

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0.exe
    "C:\Users\Admin\AppData\Local\Temp\021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\winlog.exe
      "C:\Windows\winlog.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SP00LSV.EXE
        "C:\Windows\SP00LSV.EXE"
        3⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\SVCH0ST.EXE
          "C:\Windows\SVCH0ST.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SP00LSV.EXE
    Filesize

    19KB

    MD5

    836d2fa36f768019167b6ac48f58bdad

    SHA1

    9e5ed6d4c78c64a09c8c1804f0c68ae0b225ad1b

    SHA256

    9b387db163f089f6ed9700a96c49899edf59d20a2215d9e4970601eb905f2c72

    SHA512

    774563e0d923f2dffa82b7f14d07bf318b7845398aa384d8a278693a67cf548754c3288e92a4f5d339aecc90484e6a87b0eea7abf59a89918cc37148edb8a102

    Download Submit

  • C:\Windows\SP00LSV.EXE
    Filesize

    19KB

    MD5

    836d2fa36f768019167b6ac48f58bdad

    SHA1

    9e5ed6d4c78c64a09c8c1804f0c68ae0b225ad1b

    SHA256

    9b387db163f089f6ed9700a96c49899edf59d20a2215d9e4970601eb905f2c72

    SHA512

    774563e0d923f2dffa82b7f14d07bf318b7845398aa384d8a278693a67cf548754c3288e92a4f5d339aecc90484e6a87b0eea7abf59a89918cc37148edb8a102

    Download Submit

  • C:\Windows\SVCH0ST.EXE
    Filesize

    19KB

    MD5

    836d2fa36f768019167b6ac48f58bdad

    SHA1

    9e5ed6d4c78c64a09c8c1804f0c68ae0b225ad1b

    SHA256

    9b387db163f089f6ed9700a96c49899edf59d20a2215d9e4970601eb905f2c72

    SHA512

    774563e0d923f2dffa82b7f14d07bf318b7845398aa384d8a278693a67cf548754c3288e92a4f5d339aecc90484e6a87b0eea7abf59a89918cc37148edb8a102

    Download Submit

  • C:\Windows\SVCH0ST.EXE
    Filesize

    19KB

    MD5

    836d2fa36f768019167b6ac48f58bdad

    SHA1

    9e5ed6d4c78c64a09c8c1804f0c68ae0b225ad1b

    SHA256

    9b387db163f089f6ed9700a96c49899edf59d20a2215d9e4970601eb905f2c72

    SHA512

    774563e0d923f2dffa82b7f14d07bf318b7845398aa384d8a278693a67cf548754c3288e92a4f5d339aecc90484e6a87b0eea7abf59a89918cc37148edb8a102

    Download Submit

  • C:\Windows\winlog.EXE
    Filesize

    68KB

    MD5

    a104334f091fba128807dcf115819720

    SHA1

    ab4dee275193e7a0f2a19f71cfc6d0f69692f424

    SHA256

    021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0

    SHA512

    bda7359cc600a26a40f252ff52f36a83605de71adef15c87c4a0fb4cfb5d2f2b1ae633b4549aceaedfa6a69101bdab32571bea2eb283f553a14ae2faf036e34e

    Download Submit

  • C:\Windows\winlog.exe
    Filesize

    68KB

    MD5

    a104334f091fba128807dcf115819720

    SHA1

    ab4dee275193e7a0f2a19f71cfc6d0f69692f424

    SHA256

    021c586a2cd7d499d6ad5cf59e8f0d5d2babea0a061bb05e3ba07acd24adf8c0

    SHA512

    bda7359cc600a26a40f252ff52f36a83605de71adef15c87c4a0fb4cfb5d2f2b1ae633b4549aceaedfa6a69101bdab32571bea2eb283f553a14ae2faf036e34e

    Download Submit

  • memory/1860-152-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1860-154-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1860-155-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4836-142-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4836-145-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4836-153-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download