798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b

Analysis

max time kernel
152s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Size

56KB
MD5

05c4389c881e46717dca51c4068379e0
SHA1

eea556f014b2eb41be1514e1d3a25765fef96999
SHA256

798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b
SHA512

d35d84903b43da396dab9872d62471bca1d9cad4920980c712639b1ed02c2078e608acb7374fbe45141a987699876bc3d8a197c6038e82960b829261e2fd7dd5
SSDEEP

1536:9OhCVsQ3KMfwM2aU8F78Pw4ASDVIIpyaxfC:9zVsQtEyo49UUaRC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4936	XXX.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	XXX.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\LHL13.sys	XXX.exe
File created	C:\Program files\MSDN\000000001	XXX.exe
File opened for modification	C:\Program files\MSDN\000000001	XXX.exe
File created	C:\Program files\MSDN\hehex.sys	XXX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4936	XXX.exe
4936	XXX.exe
4936	XXX.exe
4936	XXX.exe
4936	XXX.exe
4936	XXX.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
668	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeAuditPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeBackupPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeChangeNotifyPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreatePagefilePrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreatePermanentPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreateTokenPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeDebugPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeIncBasePriorityPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeIncreaseQuotaPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeLoadDriverPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeLockMemoryPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeProfSingleProcessPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeRemoteShutdownPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeRestorePrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSecurityPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeShutdownPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemEnvironmentPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemProfilePrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemtimePrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeTakeOwnershipPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeTcbPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeMachineAccountPrivilege	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeDebugPrivilege	4936	XXX.exe
Token: SeDebugPrivilege	4936	XXX.exe
Token: SeDebugPrivilege	4936	XXX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4936	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	81
PID 4844 wrote to memory of 4936	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	81
PID 4844 wrote to memory of 4936	4844	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	81
PID 4936 wrote to memory of 4308	4936	XXX.exe	82
PID 4936 wrote to memory of 4308	4936	XXX.exe	82
PID 4936 wrote to memory of 4308	4936	XXX.exe	82
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37
PID 4936 wrote to memory of 2348	4936	XXX.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
  "C:\Users\Admin\AppData\Local\Temp\798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe"
  2⤵
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\XXX.exe
    C:\Users\Admin\AppData\Local\Temp\\XXX.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c time 04:18:00
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
      4⤵
      PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
130B

MD5
76fdf98d3292f1c7e18a0fe0a9e969e0

SHA1
e15b44f089e04657fc3267b62fb6570d926339dc

SHA256
438f9468c12c57235ed31422efb2b1d4bd55de5172b4b9893b0c8df334079cec

SHA512
c17bec0c6b044e2aa392d445a6417446e3b63a4503455198522bbae1c438ea19775c1ba9fc75cd62b123b2234231c17021ef3ba894659fdffb905054251dbeb5

Download Submit
memory/4936-135-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download