Analysis
-
max time kernel
124s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 00:31
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220901-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
SOA.exe
-
Size
1.1MB
-
MD5
f890903c9b2fa054a4b22b4240870db2
-
SHA1
06ed4e7131287fcf01e49834180567daf9a13240
-
SHA256
a0c77b9f372d94ae8cbc32b27d319491cb65001b12963bc68b96b8caaf10dfa0
-
SHA512
b230749492b8d3ceb0824badc423c163c706df0c464849950523f2bedefa2ed7f50de83ee403611f1c5559f154f0fed7335310d23233701625de65bc09b9e883
-
SSDEEP
12288:xJEPCBEYJmzdicP0bYzJfKMVvS1yIuDBXolPu3fgzHIGEoTCqEUbeSh39W+ll8nO:rCJRVXbe8REgRJrn85cMNd
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SOA.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths SOA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SOA.exe = "0" SOA.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" SOA.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation SOA.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths SOA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions SOA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SOA.exe = "0" SOA.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SOA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SOA.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org 10 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3632 set thread context of 5060 3632 SOA.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3632 SOA.exe 3632 SOA.exe 3632 SOA.exe 3632 SOA.exe 3632 SOA.exe 3632 SOA.exe 3840 powershell.exe 3840 powershell.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 5060 jsc.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3632 SOA.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3632 SOA.exe Token: SeLoadDriverPrivilege 3632 SOA.exe Token: SeDebugPrivilege 3632 SOA.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 5060 jsc.exe Token: SeDebugPrivilege 688 taskmgr.exe Token: SeSystemProfilePrivilege 688 taskmgr.exe Token: SeCreateGlobalPrivilege 688 taskmgr.exe Token: 33 688 taskmgr.exe Token: SeIncBasePriorityPrivilege 688 taskmgr.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe 688 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5060 jsc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3632 wrote to memory of 3840 3632 SOA.exe 83 PID 3632 wrote to memory of 3840 3632 SOA.exe 83 PID 3632 wrote to memory of 1336 3632 SOA.exe 85 PID 3632 wrote to memory of 1336 3632 SOA.exe 85 PID 3632 wrote to memory of 5056 3632 SOA.exe 86 PID 3632 wrote to memory of 5056 3632 SOA.exe 86 PID 3632 wrote to memory of 988 3632 SOA.exe 88 PID 3632 wrote to memory of 988 3632 SOA.exe 88 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 PID 3632 wrote to memory of 5060 3632 SOA.exe 87 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SOA.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵PID:1336
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵PID:5056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5060
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:988
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:984