Overview

overview

10

Static

static

91b6e416c4...c4.exe

windows7-x64

10

91b6e416c4...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91b6e416c42ba1cddb2c40d0672f6a0c86abdbcd13decbe38458e70bdee326c4.exe

  • Size

    189KB

  • MD5

    712dda139c579465b25649e1f8e4f320

  • SHA1

    f29886d6c6923ee8d35c5b98befcb373e1904c08

  • SHA256

    91b6e416c42ba1cddb2c40d0672f6a0c86abdbcd13decbe38458e70bdee326c4

  • SHA512

    cc2c58cd18a574a2a73c08aeadf0d6517017ce5d33f812e3ef7394fd885ad8b5e1be8e80cf7c3063cf669f5400bf0bef69fd5e13d6327f1963bfbeb84272f67c

  • SSDEEP

    3072:JY9RxpZAD8xMLyen2RhuRtzd67Ur5XZFgrL1p2KXaCBuObo0z6hXu1EQE:ijpK8WLHnmunIIWL1Ee4OHdI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
    evasion
  • Creates new service(s) 1 TTPs
    persistence
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91b6e416c42ba1cddb2c40d0672f6a0c86abdbcd13decbe38458e70bdee326c4.exe
    "C:\Users\Admin\AppData\Local\Temp\91b6e416c42ba1cddb2c40d0672f6a0c86abdbcd13decbe38458e70bdee326c4.exe"
    1⤵
    • Modifies firewall policy service
    • Sets DLL path for service in the registry
    • Sets service image path in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create SPService binPath= "C:\Windows\sysWOW64\svchost.exe"
      2⤵
      • Launches sc.exe
      PID:4768
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start SPService
      2⤵
      • Launches sc.exe
      PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.cmd" "
      2⤵
        PID:2636
    • C:\Windows\sysWOW64\svchost.exe
      C:\Windows\sysWOW64\svchost.exe -k netsvc
      1⤵
      • Loads dropped DLL
      PID:5088

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a.cmd
      Filesize

      360B

      MD5

      692b6a12c38ea437f9b411d60118eb6a

      SHA1

      1ef7c006e5623fb64960ca07b4516169969fae41

      SHA256

      7b415d31effe25947a4d3c4a3dd7aeaefa7bf775856407e5dfdfdfc045a78f65

      SHA512

      521e2a2fc8cef318d4045359ba42063d7f12a31da9cd0bf07973346354216f61464e24210c6a542e340f3cbd29507cf7404bb2ca86f8ddb04977b6ae289aa877

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a.dll
      Filesize

      146KB

      MD5

      73d9002e188f52de7c167c90f319f2ad

      SHA1

      2c7e9124d31d5ae95c9e1fb58952f9e1550c95f6

      SHA256

      2d590302b37330b2a6e6f7b9030f4d5ea29388dfe2ac95903ad6aa7bba8341c2

      SHA512

      61300758fd76b35b10b4739af02b7c65adb1080b9c3a40aaa929d4a84520881967f81d75650f1392d14e40ca28a63aec82e964174fdae2db3885ac4fa1a0a568

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a.dll
      Filesize

      146KB

      MD5

      73d9002e188f52de7c167c90f319f2ad

      SHA1

      2c7e9124d31d5ae95c9e1fb58952f9e1550c95f6

      SHA256

      2d590302b37330b2a6e6f7b9030f4d5ea29388dfe2ac95903ad6aa7bba8341c2

      SHA512

      61300758fd76b35b10b4739af02b7c65adb1080b9c3a40aaa929d4a84520881967f81d75650f1392d14e40ca28a63aec82e964174fdae2db3885ac4fa1a0a568

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a.dll
      Filesize

      146KB

      MD5

      73d9002e188f52de7c167c90f319f2ad

      SHA1

      2c7e9124d31d5ae95c9e1fb58952f9e1550c95f6

      SHA256

      2d590302b37330b2a6e6f7b9030f4d5ea29388dfe2ac95903ad6aa7bba8341c2

      SHA512

      61300758fd76b35b10b4739af02b7c65adb1080b9c3a40aaa929d4a84520881967f81d75650f1392d14e40ca28a63aec82e964174fdae2db3885ac4fa1a0a568

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\sp.DLL
      Filesize

      146KB

      MD5

      73d9002e188f52de7c167c90f319f2ad

      SHA1

      2c7e9124d31d5ae95c9e1fb58952f9e1550c95f6

      SHA256

      2d590302b37330b2a6e6f7b9030f4d5ea29388dfe2ac95903ad6aa7bba8341c2

      SHA512

      61300758fd76b35b10b4739af02b7c65adb1080b9c3a40aaa929d4a84520881967f81d75650f1392d14e40ca28a63aec82e964174fdae2db3885ac4fa1a0a568

      Download Submit

    • \??\c:\users\admin\appdata\roaming\adobe\sp.dll
      Filesize

      146KB

      MD5

      73d9002e188f52de7c167c90f319f2ad

      SHA1

      2c7e9124d31d5ae95c9e1fb58952f9e1550c95f6

      SHA256

      2d590302b37330b2a6e6f7b9030f4d5ea29388dfe2ac95903ad6aa7bba8341c2

      SHA512

      61300758fd76b35b10b4739af02b7c65adb1080b9c3a40aaa929d4a84520881967f81d75650f1392d14e40ca28a63aec82e964174fdae2db3885ac4fa1a0a568

      Download Submit

    • memory/2636-159-0x0000000000000000-mapping.dmp

      Download

    • memory/2912-156-0x0000000000000000-mapping.dmp

      Download

    • memory/4768-155-0x0000000000000000-mapping.dmp

      Download

    • memory/5044-148-0x0000000004EB0000-0x0000000004F09000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-143-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-133-0x0000000074710000-0x0000000074CC1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5044-145-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-146-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-147-0x0000000004EB0000-0x0000000004F09000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-142-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-149-0x0000000074710000-0x0000000074CC1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5044-150-0x0000000004D77000-0x0000000004D7E000-memory.dmp

      Filesize

      28KB

      Download

    • memory/5044-151-0x0000000004DB0000-0x0000000004E07000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-152-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-153-0x0000000004EB0000-0x0000000004F09000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-154-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-138-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-139-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-144-0x0000000004E50000-0x0000000004EA9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-136-0x0000000004DB0000-0x0000000004E07000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-160-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-132-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5044-161-0x0000000074710000-0x0000000074CC1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5044-162-0x0000000004EB0000-0x0000000004F09000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5044-135-0x0000000004D77000-0x0000000004D7E000-memory.dmp

      Filesize

      28KB

      Download

    • memory/5044-134-0x0000000004D50000-0x0000000004DA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/5088-165-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-166-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-167-0x0000000001B80000-0x0000000001BD9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-168-0x0000000001B80000-0x0000000001BD9000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-169-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-170-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/5088-171-0x0000000001B80000-0x0000000001BD9000-memory.dmp

      Filesize

      356KB

      Download