Analysis

  • max time kernel
    147s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 18:32

General

  • Target

    be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe

  • Size

    102KB

  • MD5

    b9c7ff14fb297f70fbda656a683b5dff

  • SHA1

    27704707d62f0a724172af81b62a6f86e100864e

  • SHA256

    be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f

  • SHA512

    33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb

  • SSDEEP

    1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:764
      • C:\Windows\System32\mousocoreworker.exe
        C:\Windows\System32\mousocoreworker.exe -Embedding
        2⤵
          PID:4892
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:936
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:428
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k RPCSS -p
            1⤵
              PID:888
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:424
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                1⤵
                  PID:688
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  1⤵
                    PID:1028
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1120
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                    1⤵
                      PID:1048
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1196
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                        1⤵
                          PID:1216
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                          1⤵
                          • Drops file in System32 directory
                          PID:1264
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                          1⤵
                            PID:1352
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            1⤵
                              PID:1400
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                              1⤵
                                PID:1428
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                1⤵
                                  PID:1448
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                  1⤵
                                    PID:1504
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1592
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1632
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                        1⤵
                                          PID:1900
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                          1⤵
                                            PID:2344
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                            1⤵
                                              PID:2784
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                              1⤵
                                              • Modifies data under HKEY_USERS
                                              PID:4516
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                              1⤵
                                                PID:4016
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                1⤵
                                                  PID:3288
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                  1⤵
                                                  • Drops file in System32 directory
                                                  • Checks SCSI registry key(s)
                                                  • Modifies data under HKEY_USERS
                                                  PID:1756
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k netsvcs -p
                                                  1⤵
                                                    PID:4628
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                    1⤵
                                                      PID:4184
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                      1⤵
                                                        PID:3436
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                        1⤵
                                                          PID:1940
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                          1⤵
                                                            PID:60
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                            1⤵
                                                              PID:2872
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                              1⤵
                                                                PID:2800
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                1⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2792
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                1⤵
                                                                • Enumerates connected drives
                                                                PID:2764
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                1⤵
                                                                • Drops file in System32 directory
                                                                • Suspicious use of UnmapMainImage
                                                                PID:2704
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2564
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2552
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                    1⤵
                                                                      PID:2168
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                      1⤵
                                                                        PID:2108
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                        1⤵
                                                                          PID:1316
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                          1⤵
                                                                            PID:2040
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                            1⤵
                                                                              PID:2016
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                              1⤵
                                                                                PID:1908
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:1816
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                  1⤵
                                                                                    PID:1808
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                    1⤵
                                                                                      PID:1660
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                      1⤵
                                                                                        PID:1640
                                                                                      • C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"
                                                                                        1⤵
                                                                                        • Checks computer location settings
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4904
                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                          "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
                                                                                          2⤵
                                                                                          • Loads dropped DLL
                                                                                          • Drops file in System32 directory
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:1008
                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                            takeown /f "C:\Windows\system32\rpcss.dll"
                                                                                            3⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            • Modifies file permissions
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1520
                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                            icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
                                                                                            3⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            • Modifies file permissions
                                                                                            PID:1684
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
                                                                                            3⤵
                                                                                              PID:1804

                                                                                        Network

                                                                                        MITRE ATT&CK Enterprise v6

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp

                                                                                          Filesize

                                                                                          960KB

                                                                                          MD5

                                                                                          848b19a65ebd0063ac098e7bb37c0641

                                                                                          SHA1

                                                                                          e45f52e30f87d1506a6ea6b611ae244d0326686f

                                                                                          SHA256

                                                                                          4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

                                                                                          SHA512

                                                                                          88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

                                                                                        • C:\Users\Admin\AppData\Local\Temp\e56bb94~.tmp

                                                                                          Filesize

                                                                                          960KB

                                                                                          MD5

                                                                                          848b19a65ebd0063ac098e7bb37c0641

                                                                                          SHA1

                                                                                          e45f52e30f87d1506a6ea6b611ae244d0326686f

                                                                                          SHA256

                                                                                          4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

                                                                                          SHA512

                                                                                          88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

                                                                                        • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                                                                          Filesize

                                                                                          434B

                                                                                          MD5

                                                                                          6cb6f408a64107b900c3f4c0033dfe43

                                                                                          SHA1

                                                                                          3dd2778c9a17b45b1f95d070faa5e263be52f251

                                                                                          SHA256

                                                                                          bc8d570c036717b95163006a45fa2854044541fd0daeda675dc0a8372e920e65

                                                                                          SHA512

                                                                                          07c5a9ec4aef450d4ebdd52f0a013506080feaea0ab979d074ea74abc57fc9dc79703038a65236accae72f1381e91183dfec3e4af0d5448e76f385c1b94377d8