Analysis

  • max time kernel
    362s
  • max time network
    407s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 04:44

General

  • Target

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe

  • Size

    690KB

  • MD5

    adcaa924811a0fe41126f8c12349c7cc

  • SHA1

    f6591b78a64f5815ddca7f58868fdd253ae1b964

  • SHA256

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e

  • SHA512

    d4d49e51aa59693d65697bc91c2c8cee0f5aecc65cd5419552bb27d1798aab6ba2cacc086a8ec3fa865115d090d4d6bda889a45df8e840513a2d7db6ef3065ad

  • SSDEEP

    12288:xC/6UNEwQIJnv+PfT5YYdMqpqhZVt75eMUKYX3SjVUujECfhpmDff9w3d7S:xSNN5bI3tuVtNhYX3qzQzadS

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
    "C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\svcr.exe
      "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        3⤵
          PID:2308
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1028
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:2
              5⤵
                PID:3988
          • C:\Windows\svcr.exe
            "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
            3⤵
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Checks BIOS information in registry
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:548
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              4⤵
                PID:3436
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  5⤵
                  • Modifies Internet Explorer settings
                  PID:3628
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2228
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:5060
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3784
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:1008
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3372
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:2036
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:3084
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:3476
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5012
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4344
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:4668
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3260
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Disables RegEdit via registry modification
              • Modifies registry key
              PID:4532
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4920
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:4896
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:2076

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\svcr.exe

          Filesize

          600KB

          MD5

          8a2d783c9c968768694f76d5420d05e6

          SHA1

          b42094c631e5f49e9eaefe69d10c53e42860901a

          SHA256

          2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

          SHA512

          2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

        • C:\Users\Admin\AppData\Local\Temp\svcr.exe

          Filesize

          600KB

          MD5

          8a2d783c9c968768694f76d5420d05e6

          SHA1

          b42094c631e5f49e9eaefe69d10c53e42860901a

          SHA256

          2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

          SHA512

          2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

        • C:\Windows\svcr.exe

          Filesize

          600KB

          MD5

          8a2d783c9c968768694f76d5420d05e6

          SHA1

          b42094c631e5f49e9eaefe69d10c53e42860901a

          SHA256

          2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

          SHA512

          2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

        • C:\Windows\svcr.exe

          Filesize

          600KB

          MD5

          8a2d783c9c968768694f76d5420d05e6

          SHA1

          b42094c631e5f49e9eaefe69d10c53e42860901a

          SHA256

          2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

          SHA512

          2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

        • memory/548-167-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

        • memory/548-166-0x0000000000700000-0x0000000000738000-memory.dmp

          Filesize

          224KB

        • memory/548-164-0x0000000000700000-0x0000000000738000-memory.dmp

          Filesize

          224KB

        • memory/1780-142-0x0000000000630000-0x0000000000668000-memory.dmp

          Filesize

          224KB

        • memory/1780-163-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

        • memory/1780-143-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

        • memory/1780-144-0x0000000000630000-0x0000000000668000-memory.dmp

          Filesize

          224KB