Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:09
Behavioral task
behavioral1
Sample
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
Resource
win10v2004-20220812-en
General
-
Target
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
-
Size
140KB
-
MD5
2986b17992a2d9ffad87fd601c685977
-
SHA1
01a5a995304b78a44516d608490ddbe95a497e26
-
SHA256
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489
-
SHA512
a3d27b739981a4c6981772b7cfbcefef738e6ad2975e826c00cc20e4e3c519ddf5696d945031fb0dcebef5bb54b11b1e7f39961dd292bd2312b5840fc96acff5
-
SSDEEP
3072:Hb4s/l8iiDXiYukRy9Vd746gh4Z91gCBzTz4y3/UHj7Nzspl+fX/:HB/l0Xi3uyJ7Mhy9dx3s3fv
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServTestDos\Parameters\ServiceDll = "C:\\Windows\\ServTestDos.dll" 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe -
Processes:
resource yara_rule behavioral2/memory/3376-132-0x00000000007A0000-0x00000000007E7000-memory.dmp vmprotect \??\c:\windows\servtestdos.dll vmprotect C:\Windows\ServTestDos.dll vmprotect behavioral2/memory/3376-135-0x00000000007A0000-0x00000000007E7000-memory.dmp vmprotect behavioral2/memory/1692-136-0x0000000075020000-0x0000000075067000-memory.dmp vmprotect behavioral2/memory/1692-137-0x0000000075020000-0x0000000075067000-memory.dmp vmprotect behavioral2/memory/1692-140-0x0000000075020000-0x0000000075067000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1692 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription ioc process File opened for modification C:\Windows\ServTestDos.dll 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe File created C:\Windows\ServTestDos.dll 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exedescription pid process target process PID 3376 wrote to memory of 4916 3376 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe PID 3376 wrote to memory of 4916 3376 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe PID 3376 wrote to memory of 4916 3376 7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe"C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240567875.bat" "2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ServTestDos -s ServTestDos1⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240567875.batFilesize
239B
MD5472aeb73e8a6ca5cb3886bd96e5505bb
SHA1e24df0dcf77369cf037036e9954405b275dea12f
SHA2567d3c5a2ca963f64d9a98cb22990449b429aa10f2a8a6f511e00336e061eac4c9
SHA5125c5437f3feba0e9742415866645429262826ec6c1bf33aae85f2c3f627f3b3c8b51162cf15f9cc4ef52aaf741885d349400c368381932e06982a2b26b595f499
-
C:\Windows\ServTestDos.dllFilesize
140KB
MD5b9f33d2f141ca844a452298ffa705431
SHA1863c9b23d580813467fe5adbfdabdda62fd10d6b
SHA256810db9351dcd3e9b7958d558434fcebb03a1e53d4eed34f2ff495c875d475946
SHA512c8cc36465b9f323363304ba32bd33e319bdeb9258a40680c2158861ad7ad62c8145504b89cb3eba61f42fb11a95ad632c185a93c101e55a0487d1f8075866adc
-
\??\c:\windows\servtestdos.dllFilesize
140KB
MD5b9f33d2f141ca844a452298ffa705431
SHA1863c9b23d580813467fe5adbfdabdda62fd10d6b
SHA256810db9351dcd3e9b7958d558434fcebb03a1e53d4eed34f2ff495c875d475946
SHA512c8cc36465b9f323363304ba32bd33e319bdeb9258a40680c2158861ad7ad62c8145504b89cb3eba61f42fb11a95ad632c185a93c101e55a0487d1f8075866adc
-
memory/1692-136-0x0000000075020000-0x0000000075067000-memory.dmpFilesize
284KB
-
memory/1692-137-0x0000000075020000-0x0000000075067000-memory.dmpFilesize
284KB
-
memory/1692-140-0x0000000075020000-0x0000000075067000-memory.dmpFilesize
284KB
-
memory/3376-132-0x00000000007A0000-0x00000000007E7000-memory.dmpFilesize
284KB
-
memory/3376-135-0x00000000007A0000-0x00000000007E7000-memory.dmpFilesize
284KB
-
memory/4916-138-0x0000000000000000-mapping.dmp