Analysis
-
max time kernel
7s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 14:02
Static task
static1
Behavioral task
behavioral1
Sample
msedge.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
msedge.exe
Resource
win10v2004-20220901-en
General
-
Target
msedge.exe
-
Size
413KB
-
MD5
cee276c40f8aa85fe77c1e43cb87cb9b
-
SHA1
f57853fb3bb038887c0773a100cec95837bc2039
-
SHA256
3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289
-
SHA512
7db64681c0d854d1e3beed72ee4cabbd7c71a9eae84c41a9cd03da6e9494986943975596a4a3ba8ac9d164dd27cb4437d16a2b7150f9a78445d06699abe3ca2b
-
SSDEEP
6144:95yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQCU:9TX6WSofcZ+KCIGDU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2960 fmSTr.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation fmSTr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\fmSTr.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2960 fmSTr.exe 2960 fmSTr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2960 fmSTr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2960 3856 msedge.exe 81 PID 3856 wrote to memory of 2960 3856 msedge.exe 81 PID 2960 wrote to memory of 2376 2960 fmSTr.exe 82 PID 2960 wrote to memory of 2376 2960 fmSTr.exe 82 PID 2960 wrote to memory of 2304 2960 fmSTr.exe 50 PID 2376 wrote to memory of 4832 2376 cmd.exe 84 PID 2376 wrote to memory of 4832 2376 cmd.exe 84 PID 2960 wrote to memory of 2328 2960 fmSTr.exe 49 PID 2960 wrote to memory of 2432 2960 fmSTr.exe 48 PID 2960 wrote to memory of 2708 2960 fmSTr.exe 37 PID 2960 wrote to memory of 3228 2960 fmSTr.exe 36
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2708
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2328
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\users\Public\fmSTr.exe"C:\users\Public\fmSTr.exe" C:\Users\Admin\AppData\Local\Temp\msedge.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f4⤵
- Adds Run key to start application
PID:4832
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD531bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
Filesize
170KB
MD531bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249