9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4

Analysis

max time kernel
148s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe
Size

30KB
MD5

56ad97e72c919236bc0807c436ae2d03
SHA1

e2488602655ad6392bb05eb8f7230049b5cba228
SHA256

9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4
SHA512

e23974846de13bce408922142e8da6b0fc35dd9f6cade13e1b86747b72a10b2ba5db23a59c52af4219c6d14de3fae7f5223b2142733ab29609dfe840f8c2b3fe
SSDEEP

768:HC0CbwX6CldQ6xMp19YeOKfdGDImYFp5vQiF3L:rqCldQK6vQiF3L

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\window.dll"	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe

Loads dropped DLL 2 IoCs

pid	Process
964	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe
1896	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\window.dll	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe
File opened for modification	C:\Windows\SysWOW64\window.dll	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 216	964	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe	85
PID 964 wrote to memory of 216	964	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe	85
PID 964 wrote to memory of 216	964	9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe	85

C:\Users\Admin\AppData\Local\Temp\9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe
"C:\Users\Admin\AppData\Local\Temp\9147c71b14abf198e6cd6373052ff39c485807f4000a8bc6746e0c63edccb6c4.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240627875.bat" "
  2⤵
  PID:216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240627875.bat

Filesize
3B

MD5
9ee42691e5e393559e81db521fed24ae

SHA1
897bdb02363385951732beaa0e677879c6046d97

SHA256
2af63544fb2ddb15484cb5e0a6db8b1493142b99585a6bf01c2aa1252bd15795

SHA512
b530862399517f52b4da78b6e921405d07f87896497b2bcd18e69579305ffef06bbaad80ce3f4e5ca5be2a82ac7d4f8a1dbc493821e8fd164b3a10052f22f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll453.dll

Filesize
26KB

MD5
569f7f64c2a62e6c092f9b00c215923f

SHA1
f3643b4d49c7992c2ae48621fc8f633768f7a550

SHA256
c2fd1d8efee4f3755aa3eeb517848ae05ca57417a11ce930f524b90239d348b0

SHA512
9e99bdba3fd1c47e449b0d1fb6c965ca0fef4803fc037e459e1643e563f8bafdefc6f3319c0648f239611e4b630a783c555929fb2f88dc77f8cb4f3747db2e64

Download Submit
C:\Windows\SysWOW64\window.dll

Filesize
26KB

MD5
569f7f64c2a62e6c092f9b00c215923f

SHA1
f3643b4d49c7992c2ae48621fc8f633768f7a550

SHA256
c2fd1d8efee4f3755aa3eeb517848ae05ca57417a11ce930f524b90239d348b0

SHA512
9e99bdba3fd1c47e449b0d1fb6c965ca0fef4803fc037e459e1643e563f8bafdefc6f3319c0648f239611e4b630a783c555929fb2f88dc77f8cb4f3747db2e64

Download Submit
\??\c:\windows\SysWOW64\window.dll

Filesize
26KB

MD5
569f7f64c2a62e6c092f9b00c215923f

SHA1
f3643b4d49c7992c2ae48621fc8f633768f7a550

SHA256
c2fd1d8efee4f3755aa3eeb517848ae05ca57417a11ce930f524b90239d348b0

SHA512
9e99bdba3fd1c47e449b0d1fb6c965ca0fef4803fc037e459e1643e563f8bafdefc6f3319c0648f239611e4b630a783c555929fb2f88dc77f8cb4f3747db2e64

Download Submit