Analysis
-
max time kernel
189s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 01:54
Behavioral task
behavioral1
Sample
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
Resource
win10v2004-20221111-en
General
-
Target
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
-
Size
900KB
-
MD5
353363e2a1f090ed0936349a8b64abb0
-
SHA1
c6d1690789e404a9b4d096c5746e0891697d3ce4
-
SHA256
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3
-
SHA512
4578ab61e7c7d55aec016287951319a1e364983ce1a8f740ebf100c9462652885d0eab866d379d62a0b409eb2bb3f790d8c8bcaa6028c44553c6eb4c82db9f65
-
SSDEEP
24576:jDKIe5GiyseoVIAmBpVKHu0Mu9Xo20VGLVP5:jyGkrVIAmKZV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SO2NNNU.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDSVC\\MSDSVC3.exe" SO2NNNU.EXE -
Executes dropped EXE 2 IoCs
Processes:
SO2NNNU.EXEMSDSVC3.exepid process 4968 SO2NNNU.EXE 32 MSDSVC3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exeSO2NNNU.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation SO2NNNU.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SO2NNNU.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service = "C:\\Users\\Admin\\AppData\\Roaming\\MSDSVC\\MSDSVC3.exe" SO2NNNU.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
SO2NNNU.EXEMSDSVC3.exedescription pid process Token: SeIncreaseQuotaPrivilege 4968 SO2NNNU.EXE Token: SeSecurityPrivilege 4968 SO2NNNU.EXE Token: SeTakeOwnershipPrivilege 4968 SO2NNNU.EXE Token: SeLoadDriverPrivilege 4968 SO2NNNU.EXE Token: SeSystemProfilePrivilege 4968 SO2NNNU.EXE Token: SeSystemtimePrivilege 4968 SO2NNNU.EXE Token: SeProfSingleProcessPrivilege 4968 SO2NNNU.EXE Token: SeIncBasePriorityPrivilege 4968 SO2NNNU.EXE Token: SeCreatePagefilePrivilege 4968 SO2NNNU.EXE Token: SeBackupPrivilege 4968 SO2NNNU.EXE Token: SeRestorePrivilege 4968 SO2NNNU.EXE Token: SeShutdownPrivilege 4968 SO2NNNU.EXE Token: SeDebugPrivilege 4968 SO2NNNU.EXE Token: SeSystemEnvironmentPrivilege 4968 SO2NNNU.EXE Token: SeChangeNotifyPrivilege 4968 SO2NNNU.EXE Token: SeRemoteShutdownPrivilege 4968 SO2NNNU.EXE Token: SeUndockPrivilege 4968 SO2NNNU.EXE Token: SeManageVolumePrivilege 4968 SO2NNNU.EXE Token: SeImpersonatePrivilege 4968 SO2NNNU.EXE Token: SeCreateGlobalPrivilege 4968 SO2NNNU.EXE Token: 33 4968 SO2NNNU.EXE Token: 34 4968 SO2NNNU.EXE Token: 35 4968 SO2NNNU.EXE Token: 36 4968 SO2NNNU.EXE Token: SeIncreaseQuotaPrivilege 32 MSDSVC3.exe Token: SeSecurityPrivilege 32 MSDSVC3.exe Token: SeTakeOwnershipPrivilege 32 MSDSVC3.exe Token: SeLoadDriverPrivilege 32 MSDSVC3.exe Token: SeSystemProfilePrivilege 32 MSDSVC3.exe Token: SeSystemtimePrivilege 32 MSDSVC3.exe Token: SeProfSingleProcessPrivilege 32 MSDSVC3.exe Token: SeIncBasePriorityPrivilege 32 MSDSVC3.exe Token: SeCreatePagefilePrivilege 32 MSDSVC3.exe Token: SeBackupPrivilege 32 MSDSVC3.exe Token: SeRestorePrivilege 32 MSDSVC3.exe Token: SeShutdownPrivilege 32 MSDSVC3.exe Token: SeDebugPrivilege 32 MSDSVC3.exe Token: SeSystemEnvironmentPrivilege 32 MSDSVC3.exe Token: SeChangeNotifyPrivilege 32 MSDSVC3.exe Token: SeRemoteShutdownPrivilege 32 MSDSVC3.exe Token: SeUndockPrivilege 32 MSDSVC3.exe Token: SeManageVolumePrivilege 32 MSDSVC3.exe Token: SeImpersonatePrivilege 32 MSDSVC3.exe Token: SeCreateGlobalPrivilege 32 MSDSVC3.exe Token: 33 32 MSDSVC3.exe Token: 34 32 MSDSVC3.exe Token: 35 32 MSDSVC3.exe Token: 36 32 MSDSVC3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exeSO2NNNU.EXEcmd.exedescription pid process target process PID 2244 wrote to memory of 4968 2244 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 2244 wrote to memory of 4968 2244 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 2244 wrote to memory of 4968 2244 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 4968 wrote to memory of 32 4968 SO2NNNU.EXE MSDSVC3.exe PID 4968 wrote to memory of 32 4968 SO2NNNU.EXE MSDSVC3.exe PID 4968 wrote to memory of 32 4968 SO2NNNU.EXE MSDSVC3.exe PID 4968 wrote to memory of 3508 4968 SO2NNNU.EXE cmd.exe PID 4968 wrote to memory of 3508 4968 SO2NNNU.EXE cmd.exe PID 4968 wrote to memory of 3508 4968 SO2NNNU.EXE cmd.exe PID 3508 wrote to memory of 4612 3508 cmd.exe PING.EXE PID 3508 wrote to memory of 4612 3508 cmd.exe PING.EXE PID 3508 wrote to memory of 4612 3508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe"C:\Users\Admin\AppData\Local\Temp\6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exe"C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exeFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exeFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
memory/32-135-0x0000000000000000-mapping.dmp
-
memory/3508-138-0x0000000000000000-mapping.dmp
-
memory/4612-139-0x0000000000000000-mapping.dmp
-
memory/4968-132-0x0000000000000000-mapping.dmp