Analysis
-
max time kernel
190s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe
Resource
win7-20220812-en
General
-
Target
e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe
-
Size
1.2MB
-
MD5
8c50ed6f779f15cee678f46f767f00b7
-
SHA1
61ff380eb2544eaea307df43f7f4cdc3fcb93a63
-
SHA256
e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799
-
SHA512
16a0548092ebf96a29ca508ed037f32bfe7af0a23457607d5bf697d549d3f2203ab5890cd990ebb950d7b0bc254782665d8e5bb63bce0c7a5fca9fd774b00c7c
-
SSDEEP
24576:V+lr0S6fNVMPMgvu17YcTHVMqFCoUGksCoUGk:QRqFCobbCob
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3440 svhostnr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.exe e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3500 set thread context of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1640 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3440 svhostnr.exe Token: SeSecurityPrivilege 3440 svhostnr.exe Token: SeTakeOwnershipPrivilege 3440 svhostnr.exe Token: SeLoadDriverPrivilege 3440 svhostnr.exe Token: SeSystemProfilePrivilege 3440 svhostnr.exe Token: SeSystemtimePrivilege 3440 svhostnr.exe Token: SeProfSingleProcessPrivilege 3440 svhostnr.exe Token: SeIncBasePriorityPrivilege 3440 svhostnr.exe Token: SeCreatePagefilePrivilege 3440 svhostnr.exe Token: SeBackupPrivilege 3440 svhostnr.exe Token: SeRestorePrivilege 3440 svhostnr.exe Token: SeShutdownPrivilege 3440 svhostnr.exe Token: SeDebugPrivilege 3440 svhostnr.exe Token: SeSystemEnvironmentPrivilege 3440 svhostnr.exe Token: SeChangeNotifyPrivilege 3440 svhostnr.exe Token: SeRemoteShutdownPrivilege 3440 svhostnr.exe Token: SeUndockPrivilege 3440 svhostnr.exe Token: SeManageVolumePrivilege 3440 svhostnr.exe Token: SeImpersonatePrivilege 3440 svhostnr.exe Token: SeCreateGlobalPrivilege 3440 svhostnr.exe Token: 33 3440 svhostnr.exe Token: 34 3440 svhostnr.exe Token: 35 3440 svhostnr.exe Token: 36 3440 svhostnr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3440 svhostnr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3440 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 83 PID 3500 wrote to memory of 3388 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 85 PID 3500 wrote to memory of 3388 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 85 PID 3500 wrote to memory of 3388 3500 e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe 85 PID 3388 wrote to memory of 1640 3388 cmd.exe 87 PID 3388 wrote to memory of 1640 3388 cmd.exe 87 PID 3388 wrote to memory of 1640 3388 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe"C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\svhostnr.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\svhostnr.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3440
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:1640
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34