dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493

Analysis

max time kernel
203s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe
Size

1.2MB
MD5

ff76eb332870fe8827436a30766c6721
SHA1

b14a4d3a84d5fbea0d8599ce50392c29d550cfab
SHA256

dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493
SHA512

85d5cecf31538527e4882277f5dc099524935462ae8fcbfdb6c2bb158646e6052eb253a5eb878f2cdf99c62f86773d9a568f9d8bf95dd3dcb33585851a267d16
SSDEEP

24576:i9B9dTBZA1m+c3CTquL4jhU3tc4ocpz1ih4PcsRzqKEMQY:Wv2quL4e3tQcpO4PUKEMQY

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1336	usnscv.exe
2180	Fosil Bot.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	usnscv.exe

Loads dropped DLL 4 IoCs

pid	Process
1336	usnscv.exe
1336	usnscv.exe
2180	Fosil Bot.exe
2180	Fosil Bot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
852	1336	WerFault.exe	83
2892	1336	WerFault.exe	83

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3888	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	usnscv.exe
1336	usnscv.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1336	usnscv.exe
2180	Fosil Bot.exe
2180	Fosil Bot.exe
2180	Fosil Bot.exe
2180	Fosil Bot.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 1336	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	83
PID 4556 wrote to memory of 1336	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	83
PID 4556 wrote to memory of 1336	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	83
PID 4556 wrote to memory of 2180	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	84
PID 4556 wrote to memory of 2180	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	84
PID 4556 wrote to memory of 2180	4556	dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe	84
PID 1336 wrote to memory of 3108	1336	usnscv.exe	85
PID 1336 wrote to memory of 3108	1336	usnscv.exe	85
PID 1336 wrote to memory of 3108	1336	usnscv.exe	85
PID 3108 wrote to memory of 4232	3108	cmd.exe	87
PID 3108 wrote to memory of 4232	3108	cmd.exe	87
PID 3108 wrote to memory of 4232	3108	cmd.exe	87
PID 4232 wrote to memory of 3888	4232	cmd.exe	88
PID 4232 wrote to memory of 3888	4232	cmd.exe	88
PID 4232 wrote to memory of 3888	4232	cmd.exe	88
PID 1336 wrote to memory of 852	1336	usnscv.exe	91
PID 1336 wrote to memory of 852	1336	usnscv.exe	91
PID 1336 wrote to memory of 852	1336	usnscv.exe	91

C:\Users\Admin\AppData\Local\Temp\dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe
"C:\Users\Admin\AppData\Local\Temp\dc83077c813aea1b1d85690f51e17c2b2d11aeeefd1052e3f197457ea989e493.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 744
    3⤵
    - Program crash
    PID:852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 744
    3⤵
    - Program crash
    PID:2892
- C:\Users\Admin\AppData\Local\Fosil Bot.exe
  "C:\Users\Admin\AppData\Local\Fosil Bot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1336 -ip 1336
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fosil Bot.exe

Filesize
372KB

MD5
54fa2157518fdf1669fb47119d4d6a4d

SHA1
4648ba95bf7daff7ed3dfe97ab00799ce28e1e71

SHA256
036b9a6e31387df518b296d3e3e1d4952fb7cdd8c3366a5a941d683aa1e47d34

SHA512
6a20875375837555cb26af1fac7c874c24bd281a933c70b021ef36e7da2907b3f8845e55c837d899e6297522fc05cfec9dc092a019c13e5e7ec92dbed52c4ec4

Download Submit
C:\Users\Admin\AppData\Local\Fosil Bot.exe

Filesize
372KB

MD5
54fa2157518fdf1669fb47119d4d6a4d

SHA1
4648ba95bf7daff7ed3dfe97ab00799ce28e1e71

SHA256
036b9a6e31387df518b296d3e3e1d4952fb7cdd8c3366a5a941d683aa1e47d34

SHA512
6a20875375837555cb26af1fac7c874c24bd281a933c70b021ef36e7da2907b3f8845e55c837d899e6297522fc05cfec9dc092a019c13e5e7ec92dbed52c4ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
148B

MD5
6f893fa27049e87617787e4964ad5ecb

SHA1
2efa3418e797e4d5ced66044eff405cb2f93060c

SHA256
a9912cc06ab8465ecbf27c5b6887ba94421e213d1fff1467ee1d8f20a72f0b60

SHA512
08188fd11947612212701c3fffc253bb69530091115cf6c59650ed70851a8b56b5508cf458df9e742956144be1b3738560a33871a4be782798a63f04b7dae57f

Download Submit
C:\Users\Admin\AppData\Local\sysinf.dll

Filesize
71KB

MD5
c899a636dc5e5ae31bd933f4ebb1bd9d

SHA1
b485c9c9d5bcb60fea734c30877724d43ed44582

SHA256
ce1a775fe31d231a4fb8267de02ad3be4135706a20a5ae0979e7fede5e4e16c8

SHA512
4be4b0119599fda5a3cbc6b31b31f58914368ea2fb24406a49cac5ce7020343c01a230f5fc0c2bda9bc4d43a899488919fdf3b380ee58ff11237e1f7bd3ee4cc

Download Submit
C:\Users\Admin\AppData\Local\sysinf.dll

Filesize
71KB

MD5
c899a636dc5e5ae31bd933f4ebb1bd9d

SHA1
b485c9c9d5bcb60fea734c30877724d43ed44582

SHA256
ce1a775fe31d231a4fb8267de02ad3be4135706a20a5ae0979e7fede5e4e16c8

SHA512
4be4b0119599fda5a3cbc6b31b31f58914368ea2fb24406a49cac5ce7020343c01a230f5fc0c2bda9bc4d43a899488919fdf3b380ee58ff11237e1f7bd3ee4cc

Download Submit
C:\Users\Admin\AppData\Local\sysinf.dll

Filesize
71KB

MD5
c899a636dc5e5ae31bd933f4ebb1bd9d

SHA1
b485c9c9d5bcb60fea734c30877724d43ed44582

SHA256
ce1a775fe31d231a4fb8267de02ad3be4135706a20a5ae0979e7fede5e4e16c8

SHA512
4be4b0119599fda5a3cbc6b31b31f58914368ea2fb24406a49cac5ce7020343c01a230f5fc0c2bda9bc4d43a899488919fdf3b380ee58ff11237e1f7bd3ee4cc

Download Submit
C:\Users\Admin\AppData\Local\sysinf.dll

Filesize
71KB

MD5
c899a636dc5e5ae31bd933f4ebb1bd9d

SHA1
b485c9c9d5bcb60fea734c30877724d43ed44582

SHA256
ce1a775fe31d231a4fb8267de02ad3be4135706a20a5ae0979e7fede5e4e16c8

SHA512
4be4b0119599fda5a3cbc6b31b31f58914368ea2fb24406a49cac5ce7020343c01a230f5fc0c2bda9bc4d43a899488919fdf3b380ee58ff11237e1f7bd3ee4cc

Download Submit
C:\Users\Admin\AppData\Local\sysinf.dll

Filesize
71KB

MD5
c899a636dc5e5ae31bd933f4ebb1bd9d

SHA1
b485c9c9d5bcb60fea734c30877724d43ed44582

SHA256
ce1a775fe31d231a4fb8267de02ad3be4135706a20a5ae0979e7fede5e4e16c8

SHA512
4be4b0119599fda5a3cbc6b31b31f58914368ea2fb24406a49cac5ce7020343c01a230f5fc0c2bda9bc4d43a899488919fdf3b380ee58ff11237e1f7bd3ee4cc

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
556KB

MD5
ad58a31a5a33e94415d8954b0de9a45e

SHA1
9a53a10811eeba776475f247d5c9563f0804363d

SHA256
78c68ad71b609b6e915290461eb08fa999263d80f80d1da1a32004f8042b7742

SHA512
4f5ff5ac5859896bbca26400e26ab4bff5c7ef2d42f847aa12237348619d850fe9fda486e311ceab852399a1014e6e1eb9659de5d920d58fdeb7ec056aac4197

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
556KB

MD5
ad58a31a5a33e94415d8954b0de9a45e

SHA1
9a53a10811eeba776475f247d5c9563f0804363d

SHA256
78c68ad71b609b6e915290461eb08fa999263d80f80d1da1a32004f8042b7742

SHA512
4f5ff5ac5859896bbca26400e26ab4bff5c7ef2d42f847aa12237348619d850fe9fda486e311ceab852399a1014e6e1eb9659de5d920d58fdeb7ec056aac4197

Download Submit
memory/1336-138-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/2180-150-0x00000000033B0000-0x00000000033C7000-memory.dmp

Filesize
92KB

Download