f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783

Analysis

max time kernel
149s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
Size

39KB
MD5

41e1a208f2075914bf4408dcbd005819
SHA1

91b1475f5f86ba545b36bc965759f862292a5103
SHA256

f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783
SHA512

fff6d0c37c93e3f8ea63745829bcf9f7ec1165a5235a6f8c2e6a2cffee9348edcb4d04bdb9736927abb0bf0d13273853c9f98685cddbb6569a0eb5d9aa32ddaf
SSDEEP

768:iO68KIhbRXhwdfIW/StEpbadZKxZSLBgHsBNyGx/Kd/oWBoMXXVcKEL:dUebRX87Ao20cKEL

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe

Loads dropped DLL 1 IoCs

pid	Process
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SHsngF.log	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4060	sc.exe
1440	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
3900	taskkill.exe
756	taskkill.exe
2680	taskkill.exe
1584	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4060	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	85
PID 1360 wrote to memory of 4060	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	85
PID 1360 wrote to memory of 4060	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	85
PID 1360 wrote to memory of 3900	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	87
PID 1360 wrote to memory of 3900	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	87
PID 1360 wrote to memory of 3900	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	87
PID 1360 wrote to memory of 756	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	89
PID 1360 wrote to memory of 756	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	89
PID 1360 wrote to memory of 756	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	89
PID 1360 wrote to memory of 1440	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	91
PID 1360 wrote to memory of 1440	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	91
PID 1360 wrote to memory of 1440	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	91
PID 1360 wrote to memory of 2680	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	93
PID 1360 wrote to memory of 2680	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	93
PID 1360 wrote to memory of 2680	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	93
PID 1360 wrote to memory of 1584	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	95
PID 1360 wrote to memory of 1584	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	95
PID 1360 wrote to memory of 1584	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	95
PID 1360 wrote to memory of 2264	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	99
PID 1360 wrote to memory of 2264	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	99
PID 1360 wrote to memory of 2264	1360	f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe	99

C:\Users\Admin\AppData\Local\Temp\f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe
"C:\Users\Admin\AppData\Local\Temp\f6ffc6bab94c5e56362a73de90d95010f0f6aea60f7b7189b4b2c9a51d300783.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete nod32krn
  2⤵
  - Launches sc.exe
  PID:4060
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete ekrn
  2⤵
  - Launches sc.exe
  PID:1440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SHsngF.log

Filesize
9.0MB

MD5
21e3bf3d27c1a12b571b5b21b7482302

SHA1
d481ae80c9dd2300416ef07698a1aac3855fe941

SHA256
8ca3f636990f65660e55fcfa12b3e5c5cb3c229cefff8978261b5e22d2ee38e2

SHA512
562f5077aa09040385f215f0dd9ecb0182a809c2a16f1f2363ce738c6e8ee79f82a25f54e096c79287cf1cb03f4a2d3e429b38cb98177ad15f5f69eb0fad1968

Download Submit
memory/1360-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1360-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1360-141-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download