Overview

overview

10

Static

static

b4698b0c8b...b7.exe

windows7-x64

10

b4698b0c8b...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe

  • Size

    882KB

  • MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

  • SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

  • SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

  • SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

  • SSDEEP

    768:bZ4dLYeMpy7VUbOJIl1YxoUbfZCCCBeKimNsDVF2ta9jS:bKYByprJ2tuxLBKiBVF2tak

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe
    "C:\Users\Admin\AppData\Local\Temp\b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe
      C:\Users\Admin\AppData\Local\Temp\b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1088
      • C:\ProgramData\wscntfy.exe
        "C:\ProgramData\wscntfy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\ProgramData\wscntfy.exe
          C:\ProgramData\wscntfy.exe
          4⤵
          • UAC bypass
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:804
          • C:\Windows\SysWOW64\netsh.exe
            "netsh.exe" firewall add allowedprogram program="C:\ProgramData\wscntfy.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL
            5⤵
            • Modifies Windows Firewall
            PID:1928
      • C:\Program Files (x86)\Common Files\lsmass.exe
        "C:\Program Files (x86)\Common Files\lsmass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\Program Files (x86)\Common Files\lsmass.exe
          "C:\Program Files (x86)\Common Files\lsmass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\lsmass.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\Program Files (x86)\Common Files\lsmass.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\Program Files (x86)\Common Files\lsmass.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\ProgramData\wscntfy.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\ProgramData\wscntfy.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\ProgramData\wscntfy.exe
    Filesize

    882KB

    MD5

    1038bb73ee81a9dd5301d55a33b9aa6a

    SHA1

    47d517cd733b5e6e7b29db7b76fee91e57c9380b

    SHA256

    b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7

    SHA512

    6480f55df05b07ddb18648bd21f58f03a34014370f691192c8332da2e25f7651f4e04daa500dc87f9c31a3662e231b306347396c3ad92c740672901a9594dc1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b4698b0c8b29d3eb5682f4f7611afb35dc7e8bdf971357c72e86901db82238b7.exe.log
    Filesize

    128B

    MD5

    a5dcc7c9c08af7dddd82be5b036a4416

    SHA1

    4f998ca1526d199e355ffb435bae111a2779b994

    SHA256

    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

    SHA512

    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lsmass.exe.log
    Filesize

    128B

    MD5

    a5dcc7c9c08af7dddd82be5b036a4416

    SHA1

    4f998ca1526d199e355ffb435bae111a2779b994

    SHA256

    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

    SHA512

    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

    Download Submit

  • memory/804-149-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/804-159-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1088-134-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1088-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1088-147-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2152-156-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2152-158-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2160-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2160-135-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3140-148-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4884-150-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4884-155-0x0000000074EC0000-0x0000000075471000-memory.dmp

    Filesize

    5.7MB

    Download