Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 03:19
Static task
static1
Behavioral task
behavioral1
Sample
9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe
Resource
win10v2004-20220901-en
General
-
Target
9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe
-
Size
64KB
-
MD5
1a0e8763b624334a5288ea2f59996f6d
-
SHA1
1d5968388c4d6266301822f8a6152467f5149a54
-
SHA256
9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626
-
SHA512
a8ed4acecf0bf9f8b019bdc4223496e8f2a29d349b01f41975d184081f4e7c674a5c5093da8268db865cffa845c9627bf8c673e8ef2dfc32fdbdd05423945552
-
SSDEEP
1536:ubpM6l4seAkWP6f2xBQwaqLO+0ER1qf5f87e:taNe3QjQwaaO+f1A9s
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" essledv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" essledv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe -
Executes dropped EXE 1 IoCs
pid Process 3588 essledv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run essledv.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\essledv.exe" essledv.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\essledv.exe" 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA essledv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" essledv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\essledv.exe 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe File opened for modification C:\Windows\essledv.exe 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3588 essledv.exe 3588 essledv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5060 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Token: SeDebugPrivilege 3588 essledv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 3588 5060 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe 81 PID 5060 wrote to memory of 3588 5060 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe 81 PID 5060 wrote to memory of 3588 5060 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe 81 PID 3588 wrote to memory of 604 3588 essledv.exe 6 PID 3588 wrote to memory of 660 3588 essledv.exe 4 PID 3588 wrote to memory of 764 3588 essledv.exe 8 PID 3588 wrote to memory of 768 3588 essledv.exe 13 PID 3588 wrote to memory of 780 3588 essledv.exe 12 PID 3588 wrote to memory of 880 3588 essledv.exe 11 PID 3588 wrote to memory of 940 3588 essledv.exe 10 PID 3588 wrote to memory of 1016 3588 essledv.exe 9 PID 3588 wrote to memory of 428 3588 essledv.exe 14 PID 3588 wrote to memory of 424 3588 essledv.exe 16 PID 3588 wrote to memory of 644 3588 essledv.exe 15 PID 3588 wrote to memory of 1028 3588 essledv.exe 20 PID 3588 wrote to memory of 1036 3588 essledv.exe 19 PID 3588 wrote to memory of 1168 3588 essledv.exe 18 PID 3588 wrote to memory of 1204 3588 essledv.exe 17 PID 3588 wrote to memory of 1216 3588 essledv.exe 21 PID 3588 wrote to memory of 1244 3588 essledv.exe 79 PID 3588 wrote to memory of 1324 3588 essledv.exe 78 PID 3588 wrote to memory of 1416 3588 essledv.exe 77 PID 3588 wrote to memory of 1436 3588 essledv.exe 76 PID 3588 wrote to memory of 1456 3588 essledv.exe 75 PID 3588 wrote to memory of 1464 3588 essledv.exe 74 PID 3588 wrote to memory of 1592 3588 essledv.exe 73 PID 3588 wrote to memory of 1624 3588 essledv.exe 72 PID 3588 wrote to memory of 1660 3588 essledv.exe 71 PID 3588 wrote to memory of 1692 3588 essledv.exe 70 PID 3588 wrote to memory of 1768 3588 essledv.exe 69 PID 3588 wrote to memory of 1828 3588 essledv.exe 68 PID 3588 wrote to memory of 1896 3588 essledv.exe 67 PID 3588 wrote to memory of 1904 3588 essledv.exe 66 PID 3588 wrote to memory of 2012 3588 essledv.exe 65 PID 3588 wrote to memory of 2020 3588 essledv.exe 64 PID 3588 wrote to memory of 1816 3588 essledv.exe 63 PID 3588 wrote to memory of 2112 3588 essledv.exe 62 PID 3588 wrote to memory of 2200 3588 essledv.exe 61 PID 3588 wrote to memory of 2224 3588 essledv.exe 60 PID 3588 wrote to memory of 2400 3588 essledv.exe 59 PID 3588 wrote to memory of 2408 3588 essledv.exe 58 PID 3588 wrote to memory of 2452 3588 essledv.exe 57 PID 3588 wrote to memory of 2516 3588 essledv.exe 56 PID 3588 wrote to memory of 2640 3588 essledv.exe 55 PID 3588 wrote to memory of 2656 3588 essledv.exe 33 PID 3588 wrote to memory of 2668 3588 essledv.exe 32 PID 3588 wrote to memory of 2676 3588 essledv.exe 31 PID 3588 wrote to memory of 2684 3588 essledv.exe 30 PID 3588 wrote to memory of 2692 3588 essledv.exe 29 PID 3588 wrote to memory of 2700 3588 essledv.exe 28 PID 3588 wrote to memory of 3092 3588 essledv.exe 26 PID 3588 wrote to memory of 3212 3588 essledv.exe 25 PID 3588 wrote to memory of 3408 3588 essledv.exe 24 PID 3588 wrote to memory of 3504 3588 essledv.exe 23 PID 3588 wrote to memory of 3576 3588 essledv.exe 22 PID 3588 wrote to memory of 3660 3588 essledv.exe 54 PID 3588 wrote to memory of 3820 3588 essledv.exe 53 PID 3588 wrote to memory of 4420 3588 essledv.exe 51 PID 3588 wrote to memory of 4832 3588 essledv.exe 50 PID 3588 wrote to memory of 4404 3588 essledv.exe 49 PID 3588 wrote to memory of 1176 3588 essledv.exe 47 PID 3588 wrote to memory of 2420 3588 essledv.exe 45 PID 3588 wrote to memory of 5112 3588 essledv.exe 44 PID 3588 wrote to memory of 3488 3588 essledv.exe 43 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" essledv.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:660
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:764
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3576
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3504
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3408
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3304
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:3488
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4832
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4420
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3820
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3660
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1168
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2692
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3212
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe"C:\Users\Admin\AppData\Local\Temp\9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5060 -
C:\Windows\essledv.exe"C:\Windows\essledv.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcdefg.bat" "C:\Users\Admin\AppData\Local\Temp\9a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626.exe""3⤵PID:4936
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:4676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:2184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:5112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2516
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2112
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20221211-2017.dmp1⤵PID:4848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80B
MD53c2c2719c39678a7ef5013eb16b6f6ef
SHA1323dfea7b524e2781dc2a4584a72a22981eee9a0
SHA2569356b2010f4fca9a15ea990821154c5b8a87ffe472741ad089d08c746df218d5
SHA51247174f9a28ab1309b31c71b11742c0d055a3319e485a44d62452a58fc4af67740d8342552862977b51e79da562f90d92d1b9c9dbbb14e7f2369cbe67133ba71c
-
Filesize
64KB
MD51a0e8763b624334a5288ea2f59996f6d
SHA11d5968388c4d6266301822f8a6152467f5149a54
SHA2569a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626
SHA512a8ed4acecf0bf9f8b019bdc4223496e8f2a29d349b01f41975d184081f4e7c674a5c5093da8268db865cffa845c9627bf8c673e8ef2dfc32fdbdd05423945552
-
Filesize
64KB
MD51a0e8763b624334a5288ea2f59996f6d
SHA11d5968388c4d6266301822f8a6152467f5149a54
SHA2569a8fbfd40ea19beeb378f1be238e3ce8dd5675d83deabc5c249886d38b420626
SHA512a8ed4acecf0bf9f8b019bdc4223496e8f2a29d349b01f41975d184081f4e7c674a5c5093da8268db865cffa845c9627bf8c673e8ef2dfc32fdbdd05423945552