Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:19
Behavioral task
behavioral1
Sample
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
Resource
win7-20220901-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
-
Size
33KB
-
MD5
5bd3e31b75686582925a42028a137ac9
-
SHA1
8d5b54634296341e3be68c6b241456e1e2a1c6cf
-
SHA256
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70
-
SHA512
201f4394f1131baa4cca6826e4df15b18a620ea6839f822ce838f90fd5745b0ecc53b59759c5e94bac9ba8f833ed8188039cddbdfe1ba0d6909954d5698c27a3
-
SSDEEP
768:70ei+ZzUvUtyaKBe49GY3fUn7/yyt78gV+huAQoEz6Uozh:4eRUvU8aK79GyfW8gpz6Uk
Score
8/10
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\64to32\Parameters\ServiceDll = "C:\\Windows\\system32\\64to32.dll" ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe -
resource yara_rule behavioral2/memory/4844-132-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4844-136-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe -
Loads dropped DLL 1 IoCs
pid Process 4828 svchost.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.220.220 -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windowsxp.ini svchost.exe File created C:\Windows\SysWOW64\64to32.dll ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe File opened for modification C:\Windows\SysWOW64\Windowsxp32.ini svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe 4828 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4844 wrote to memory of 3656 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 82 PID 4844 wrote to memory of 3656 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 82 PID 4844 wrote to memory of 3656 4844 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe"C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EF2C58~1.EXE >> NUL2⤵PID:3656
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD595132e78819ca2b72dc0033c55df15a9
SHA1c4baf68a9078386fccd0d70b44bf483b6c5ac517
SHA25699391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247
SHA5129531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291
-
Filesize
68KB
MD595132e78819ca2b72dc0033c55df15a9
SHA1c4baf68a9078386fccd0d70b44bf483b6c5ac517
SHA25699391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247
SHA5129531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291