fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698

Analysis

max time kernel
161s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe
Size

30KB
MD5

7b4713c04deef472a343d7509d9d93d7
SHA1

9a60b78a5586f832fb41340bd519f48be780b617
SHA256

fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698
SHA512

ba37a3f5c045c92a196b8099eb9b532c22435591887a2bb8f23c2817dbac551c6448607b02d251ab9d1ba82935e59e218dfe269b7c10ea4966131133790182d8
SSDEEP

768:DC0CbwY6CldQ6xMp19YeOKfdGDImYFp5vAiqL:/BCldQK6vAiqL

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\window.dll"	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe
1840	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\window.dll	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe
File opened for modification	C:\Windows\SysWOW64\window.dll	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3612	1748	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe	86
PID 1748 wrote to memory of 3612	1748	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe	86
PID 1748 wrote to memory of 3612	1748	fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe	86

C:\Users\Admin\AppData\Local\Temp\fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe
"C:\Users\Admin\AppData\Local\Temp\fdb8cd16e70818dbd52ff6348f7a46e96e6e9965a429ba6c1b4ed936cebca698.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240595093.bat" "
  2⤵
  PID:3612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240595093.bat

Filesize
3B

MD5
9ee42691e5e393559e81db521fed24ae

SHA1
897bdb02363385951732beaa0e677879c6046d97

SHA256
2af63544fb2ddb15484cb5e0a6db8b1493142b99585a6bf01c2aa1252bd15795

SHA512
b530862399517f52b4da78b6e921405d07f87896497b2bcd18e69579305ffef06bbaad80ce3f4e5ca5be2a82ac7d4f8a1dbc493821e8fd164b3a10052f22f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll312.dll

Filesize
26KB

MD5
e50f7fc17f5f6a650f7119c75192ad8e

SHA1
ae480a3e218155165a4e373296fbeeeae91c4916

SHA256
dde0625fa73c7cf2acead25334d2b2b34c2a9112f01fa236b32a22950c178f85

SHA512
a3b009a7eee2138440e264b393e15418b8f13fb0564886f417c590291d7908b0f85851e064f8136c2de88f87ab0fdfd13a3ed2ef783b54d928223c11caea6afc

Download Submit
C:\Windows\SysWOW64\window.dll

Filesize
26KB

MD5
e50f7fc17f5f6a650f7119c75192ad8e

SHA1
ae480a3e218155165a4e373296fbeeeae91c4916

SHA256
dde0625fa73c7cf2acead25334d2b2b34c2a9112f01fa236b32a22950c178f85

SHA512
a3b009a7eee2138440e264b393e15418b8f13fb0564886f417c590291d7908b0f85851e064f8136c2de88f87ab0fdfd13a3ed2ef783b54d928223c11caea6afc

Download Submit
\??\c:\windows\SysWOW64\window.dll

Filesize
26KB

MD5
e50f7fc17f5f6a650f7119c75192ad8e

SHA1
ae480a3e218155165a4e373296fbeeeae91c4916

SHA256
dde0625fa73c7cf2acead25334d2b2b34c2a9112f01fa236b32a22950c178f85

SHA512
a3b009a7eee2138440e264b393e15418b8f13fb0564886f417c590291d7908b0f85851e064f8136c2de88f87ab0fdfd13a3ed2ef783b54d928223c11caea6afc

Download Submit