Analysis

  • max time kernel
    7s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2023 14:02

General

  • Target

    msedge.exe

  • Size

    413KB

  • MD5

    cee276c40f8aa85fe77c1e43cb87cb9b

  • SHA1

    f57853fb3bb038887c0773a100cec95837bc2039

  • SHA256

    3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289

  • SHA512

    7db64681c0d854d1e3beed72ee4cabbd7c71a9eae84c41a9cd03da6e9494986943975596a4a3ba8ac9d164dd27cb4437d16a2b7150f9a78445d06699abe3ca2b

  • SSDEEP

    6144:95yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQCU:9TX6WSofcZ+KCIGDU

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:3228
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
        PID:2708
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2432
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
          1⤵
            PID:2328
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2304
            • C:\Users\Admin\AppData\Local\Temp\msedge.exe
              "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
              1⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3856
              • C:\users\Public\fmSTr.exe
                "C:\users\Public\fmSTr.exe" C:\Users\Admin\AppData\Local\Temp\msedge.exe
                2⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2376
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f
                    4⤵
                    • Adds Run key to start application
                    PID:4832

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\fmSTr.exe

              Filesize

              170KB

              MD5

              31bd0f224e7e74eee2847f43aae23974

              SHA1

              92e331e1e8ad30538f38dd7ba31386afafa14a58

              SHA256

              8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

              SHA512

              a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

            • C:\users\Public\fmSTr.exe

              Filesize

              170KB

              MD5

              31bd0f224e7e74eee2847f43aae23974

              SHA1

              92e331e1e8ad30538f38dd7ba31386afafa14a58

              SHA256

              8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

              SHA512

              a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

            • memory/2304-137-0x00007FF7F8D10000-0x00007FF7F909E000-memory.dmp

              Filesize

              3.6MB