6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330

Analysis

max time kernel
179s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
Size

114KB
MD5

09945d835a49e69aa6b0c12913f0176e
SHA1

df15b07e32658a9b54f6644cae201618e36e3fe0
SHA256

6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330
SHA512

2b512d540beddc9385e383e04f442b78f50d769003a9c744c1feafc9443b5c8b2a44636a2c974fb16184cc51f0788134b0ebbfb6fca159ff3ace5935c95e9b8b
SSDEEP

1536:Cr7QvQt3WpOck/R3Xz0z2arhTRifCFTuARVpgM+Wf3VkPVfT48Jnit4dXJlVit5y:Cz+92mhTMMJ/cPiq5bViX5kYi2YSc

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	uspsblwbioboxpml.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5112	uspsblwbioboxpml.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4704	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5112	uspsblwbioboxpml.exe
5112	uspsblwbioboxpml.exe
936	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 5112	4940	6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe	82
PID 4940 wrote to memory of 5112	4940	6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe	82
PID 4940 wrote to memory of 5112	4940	6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe	82
PID 5112 wrote to memory of 936	5112	uspsblwbioboxpml.exe	84
PID 5112 wrote to memory of 936	5112	uspsblwbioboxpml.exe	84
PID 5112 wrote to memory of 936	5112	uspsblwbioboxpml.exe	84
PID 936 wrote to memory of 2736	936	cmd.exe	86
PID 936 wrote to memory of 2736	936	cmd.exe	86
PID 936 wrote to memory of 2736	936	cmd.exe	86
PID 936 wrote to memory of 4704	936	cmd.exe	87
PID 936 wrote to memory of 4704	936	cmd.exe	87
PID 936 wrote to memory of 4704	936	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
"C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe
  "C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe" htxkwau.bat+
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c htxkwau.bat
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\htxkwau.bat

Filesize
11KB

MD5
f0e2887a64780579b26218394735ade9

SHA1
eef146067883cdeace57a98d7675c5e1e5335297

SHA256
c7df727c52d9390e4ae0f60d71803a21f2170127664828d1a074c72d81002af2

SHA512
115be0ac5a10a9116583a74c0cd430361de3c15e0302e0a5579958a57756e50c1ef99f8728b9d10900dcd83849c9dc742537ad19aeaa68649f131fce9d442e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe

Filesize
20KB

MD5
e2b051be5b31684e39c4f62948f92588

SHA1
23cb2f7549775bed432dd5320ce27957846a2ec9

SHA256
900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5

SHA512
f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710

Download Submit
C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe

Filesize
20KB

MD5
e2b051be5b31684e39c4f62948f92588

SHA1
23cb2f7549775bed432dd5320ce27957846a2ec9

SHA256
900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5

SHA512
f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
969B

MD5
88e836e667a4b903cd0b579c4b7d0dc3

SHA1
d32f0fcbdd7ce97569b396f27e3a4120a44b0c65

SHA256
845dba03ad05979240875c69d01554d91cadb74fe1d97d30949e4f15f7022900

SHA512
ecf3851789a66a81994112ac97e48836bb3e3dc5b4d7121020d53df13fa7341b6fb2fae7ee7b82e82976afb91dbeff2996471ac5816e33d2d8954d52cf2c66da

Download Submit