568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe
Size

33KB
MD5

137222ad0cac03e196e617b8268933da
SHA1

e3a5ec85613407aff6ba96e8d0dac28e7b4bd59c
SHA256

568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e
SHA512

c1825ddc55717694b7db91911a4e9ec043b4b8a1b0987b1436dd20aa0da33b7e706e4a09f8ece12113ad6cc6ad818b5ccfaa3bbdf3019bbb803c614280306575
SSDEEP

768:nMhCSl27zFig6MDJug56YvNv6bvkQITR/rpm:MhCSl27BigdPOTZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3656	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azoz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe"	568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azoz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3656	4060	568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe	85
PID 4060 wrote to memory of 3656	4060	568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe	85
PID 4060 wrote to memory of 3656	4060	568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe	85

C:\Users\Admin\AppData\Local\Temp\568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe
"C:\Users\Admin\AppData\Local\Temp\568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
102B

MD5
ae9fb366b1a09cd20010b1d89d7cbcd3

SHA1
5a570b3e5bd16cb33006ec1343006dbeb63846ea

SHA256
bef8d24e42d3816e8e60b184a3cc54e6d5fa422e9e4aaecf1e59344961e03a98

SHA512
c7e14ce56f5845e6bd24f5da59d00bc53d394ec76d9f072d528ff2ea85bb604cb8fd6c6d0e8f3bd829792914049ccd4a9c95634fd468bf7bd459836dfa7c7c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
33KB

MD5
137222ad0cac03e196e617b8268933da

SHA1
e3a5ec85613407aff6ba96e8d0dac28e7b4bd59c

SHA256
568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e

SHA512
c1825ddc55717694b7db91911a4e9ec043b4b8a1b0987b1436dd20aa0da33b7e706e4a09f8ece12113ad6cc6ad818b5ccfaa3bbdf3019bbb803c614280306575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
33KB

MD5
137222ad0cac03e196e617b8268933da

SHA1
e3a5ec85613407aff6ba96e8d0dac28e7b4bd59c

SHA256
568e86eb94f1ae3c77ae0a3a8e6476bce96febe23e19c76bc2b1b5e8d060997e

SHA512
c1825ddc55717694b7db91911a4e9ec043b4b8a1b0987b1436dd20aa0da33b7e706e4a09f8ece12113ad6cc6ad818b5ccfaa3bbdf3019bbb803c614280306575

Download Submit
memory/3656-139-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3656-140-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4060-132-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4060-133-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4060-137-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download