9b075182d6fa81ba33d7cbf277e47a2e56b5a7320c8c58b4b27a1b9caaddc2f0

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 10:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe
Size

232KB
MD5

db86be5c9d964461352838299b3f9ded
SHA1

a73c35fa1b378170ac7d7f2caccf083728564bc4
SHA256

996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e
SHA512

42dde7869b9c0d38b5aad0dbf84099366f89a4c07a9118d3690ee16ae86649c79ea53c79088ea1ce1a7b22e86dfe41bc15e7eb5355c1cfd6b11d9c0a52d83c69
SSDEEP

6144:/EpkFdqGIh+djouPq+koJMuF+QaG9WefAtSfGwvFNGQAb:/EGdBIh+djousTG7/QQGeFHAb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe

Executes dropped EXE 2 IoCs

pid	Process
524	MsMpEng.exe
2628	MsMpEng.exe

Loads dropped DLL 2 IoCs

pid	Process
524	MsMpEng.exe
2628	MsMpEng.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 4724	2628	MsMpEng.exe	86
PID 4724 set thread context of 2496	4724	svchost.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	svchost.exe
Token: SeDebugPrivilege	2496	dllhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 524	2132	996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe	84
PID 2132 wrote to memory of 524	2132	996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe	84
PID 2132 wrote to memory of 524	2132	996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe	84
PID 2628 wrote to memory of 4724	2628	MsMpEng.exe	86
PID 2628 wrote to memory of 4724	2628	MsMpEng.exe	86
PID 2628 wrote to memory of 4724	2628	MsMpEng.exe	86
PID 2628 wrote to memory of 4724	2628	MsMpEng.exe	86
PID 4724 wrote to memory of 2496	4724	svchost.exe	87
PID 4724 wrote to memory of 2496	4724	svchost.exe	87
PID 4724 wrote to memory of 2496	4724	svchost.exe	87
PID 4724 wrote to memory of 2496	4724	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe
"C:\Users\Admin\AppData\Local\Temp\996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MsMpEng.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MsMpEng.exe" "C:\Users\Admin\AppData\Local\Temp\996b9e029e0d93efa265c69b2cf1cfac64b3b848ae936b2c43f2decdd591757e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:524

C:\ProgramData\Microsoft\DeviceSync\MsMpEng.exe
C:\ProgramData\Microsoft\DeviceSync\MsMpEng.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\svchost.exe
  -main
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe -user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DeviceSync\MpSvc.dll

Filesize
4KB

MD5
15f196ba1b40eb82b4d29f9ffb8cc0a2

SHA1
0ffcbab106f5bf6aae41c64fab0d176da1319509

SHA256
826e28746b8ee820811d7e78871b9e1fe2b2c8e7324b3b526338ed14898ee4c8

SHA512
cc9c5ec580a6852c5a2e9c826c9a5d41a789b1dcb61c67c8d8fe3810289e75abb50b97680eefb4eb1c911da840f53afa65e6bc1edfb332d7f77c66cf81a049e0

Download Submit
C:\ProgramData\Microsoft\DeviceSync\MsMpEng.exe

Filesize
21KB

MD5
cc09bb7fdefc5763ccb3cf7dae2d76cf

SHA1
8610d07f27a961066134d728c82eb8e5f22e7e8f

SHA256
f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

SHA512
0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

Download Submit
C:\ProgramData\Microsoft\DeviceSync\MsMpEng.exe

Filesize
21KB

MD5
cc09bb7fdefc5763ccb3cf7dae2d76cf

SHA1
8610d07f27a961066134d728c82eb8e5f22e7e8f

SHA256
f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

SHA512
0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

Download Submit
C:\ProgramData\Microsoft\DeviceSync\delete.txt

Filesize
206B

MD5
5cca6e66743e2feaa96625981aef787a

SHA1
3843db53ca2dd592a60404ba12dbb70f399b3853

SHA256
2ab8608ca48c3bfcba7986cf8b26f537448c0772c569f23e2843b0782550319e

SHA512
8cdd7c672d96fa7c9e96d5a1280cbe6d8f7d9f0f515e908ee3b1d3e3f32af1f5caef30e8be20b39f7ce9e66ce0891e031f6372e6a6594a4619348cc088a069ee

Download Submit
C:\ProgramData\Microsoft\DeviceSync\mpsvc

Filesize
68B

MD5
2e2b49769f5e230bd7d62f7a3387d888

SHA1
d6ecc5485f19b99f6ce8c908d80cf3f4a54b8039

SHA256
97076d5241f732059f08fabaa4a66fdcbf62ae4287480a3b29865f13b0c53923

SHA512
7da2385e06e0401b6f59c91e6ba5acd5385353c9934144cfb41d50c6ef72b031e77d3f64572048a6c2e0afaee2d4e9c2659742b46b68be1fe853a79a3ee71732

Download Submit
C:\ProgramData\Microsoft\DeviceSync\mpsvc.dll

Filesize
4KB

MD5
15f196ba1b40eb82b4d29f9ffb8cc0a2

SHA1
0ffcbab106f5bf6aae41c64fab0d176da1319509

SHA256
826e28746b8ee820811d7e78871b9e1fe2b2c8e7324b3b526338ed14898ee4c8

SHA512
cc9c5ec580a6852c5a2e9c826c9a5d41a789b1dcb61c67c8d8fe3810289e75abb50b97680eefb4eb1c911da840f53afa65e6bc1edfb332d7f77c66cf81a049e0

Download Submit
C:\ProgramData\Mozilla\6061D7F2

Filesize
8B

MD5
59184da577ec0ca4dcb4bba16ff10e83

SHA1
a64575caccfce2363480a54d6c7f03c8d847ee43

SHA256
874197c205410abfea1172987bbb57543df611890a357353db5863876437cc11

SHA512
d192a68d6af70c402c078a3aa1c871f9a1cf65deb0423a8a1cec79b940dbbda06add519d28794eb3ffac4593425b504ca61a10084c86fc1f4eddd03f07274c38

Download Submit
C:\ProgramData\Mozilla\sgkey.data

Filesize
91KB

MD5
88389e4cdcaf0e903b70691394d57c19

SHA1
b502efe1090764ae042524d72b04001c270301ce

SHA256
2ee577b861d565c051ce38e2f05bd8167dc6cbae31e8f828080ecae58c9cc449

SHA512
54a8867b490692cd09e0ed246c92ad0ba1a62f1ac8bea6270aecdbefa2b016892a83d35028660d3ef6d31f559a53c5c91dc3fd24def09de4f11c0a8c925f5e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MpSvc.dll

Filesize
4KB

MD5
15f196ba1b40eb82b4d29f9ffb8cc0a2

SHA1
0ffcbab106f5bf6aae41c64fab0d176da1319509

SHA256
826e28746b8ee820811d7e78871b9e1fe2b2c8e7324b3b526338ed14898ee4c8

SHA512
cc9c5ec580a6852c5a2e9c826c9a5d41a789b1dcb61c67c8d8fe3810289e75abb50b97680eefb4eb1c911da840f53afa65e6bc1edfb332d7f77c66cf81a049e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MsMpEng.exe

Filesize
21KB

MD5
cc09bb7fdefc5763ccb3cf7dae2d76cf

SHA1
8610d07f27a961066134d728c82eb8e5f22e7e8f

SHA256
f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

SHA512
0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MsMpEng.exe

Filesize
21KB

MD5
cc09bb7fdefc5763ccb3cf7dae2d76cf

SHA1
8610d07f27a961066134d728c82eb8e5f22e7e8f

SHA256
f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

SHA512
0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MsMpEng.exe

Filesize
21KB

MD5
cc09bb7fdefc5763ccb3cf7dae2d76cf

SHA1
8610d07f27a961066134d728c82eb8e5f22e7e8f

SHA256
f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

SHA512
0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mpsvc.dll

Filesize
4KB

MD5
15f196ba1b40eb82b4d29f9ffb8cc0a2

SHA1
0ffcbab106f5bf6aae41c64fab0d176da1319509

SHA256
826e28746b8ee820811d7e78871b9e1fe2b2c8e7324b3b526338ed14898ee4c8

SHA512
cc9c5ec580a6852c5a2e9c826c9a5d41a789b1dcb61c67c8d8fe3810289e75abb50b97680eefb4eb1c911da840f53afa65e6bc1edfb332d7f77c66cf81a049e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\readme.txt

Filesize
122KB

MD5
b4ce963a21dbf4a27b4c22e3ea3ece10

SHA1
618c763d4f69386ec4e37f0bf3e3e358679a5c76

SHA256
d0788ff548437724f633af5deb1148c99778b171834831d565a1871b24bf954c

SHA512
0ef4848577b9e9448e3a265e9e0b5304e955f69ab8acbc8ddc49b8e3cbe9f25407df354c271360f8bf0031b8e422f270bc542daa0fab4e76f33cb0d38a56f996

Download Submit
memory/524-170-0x0000000002710000-0x000000000272F000-memory.dmp

Filesize
124KB

Download
memory/524-171-0x0000000002770000-0x0000000002785000-memory.dmp

Filesize
84KB

Download
memory/2496-187-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/2496-188-0x0000000000F60000-0x0000000000F75000-memory.dmp

Filesize
84KB

Download
memory/2496-200-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2496-199-0x00000000027B0000-0x00000000027BB000-memory.dmp

Filesize
44KB

Download
memory/2496-198-0x00000000027A0000-0x00000000027A7000-memory.dmp

Filesize
28KB

Download
memory/2496-197-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/2496-196-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/2496-195-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2496-194-0x0000000002740000-0x0000000002747000-memory.dmp

Filesize
28KB

Download
memory/2496-193-0x0000000002730000-0x0000000002737000-memory.dmp

Filesize
28KB

Download
memory/2496-186-0x0000000000C10000-0x0000000000C27000-memory.dmp

Filesize
92KB

Download
memory/2628-167-0x00000000010C0000-0x00000000010D5000-memory.dmp

Filesize
84KB

Download
memory/4724-172-0x0000000000530000-0x0000000000545000-memory.dmp

Filesize
84KB

Download
memory/4724-180-0x0000000001080000-0x0000000001088000-memory.dmp

Filesize
32KB

Download
memory/4724-179-0x0000000001070000-0x000000000107B000-memory.dmp

Filesize
44KB

Download
memory/4724-178-0x0000000001060000-0x0000000001067000-memory.dmp

Filesize
28KB

Download
memory/4724-177-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/4724-176-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/4724-175-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/4724-174-0x00000000005C0000-0x00000000005C7000-memory.dmp

Filesize
28KB

Download
memory/4724-173-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/4724-166-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download