Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 03:02
Static task
static1
Behavioral task
behavioral1
Sample
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe
Resource
win10v2004-20230220-en
General
-
Target
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe
-
Size
5.8MB
-
MD5
d8cc96a6cfa21dc89f5f1c252d0120f4
-
SHA1
06a654dbbd0525a03b78a177b7ec3ece1cf5f233
-
SHA256
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599
-
SHA512
f4131996d6a3df9617a6734ff8a31ad3ec47ab85f991c99ab57be05ccbd475d34f371fba7669d9c869118ef9619549ca14b70438e629b4d250f06f4087a2d80d
-
SSDEEP
98304:SuaSBtYKUEkxXk+b7FCOT7cZpyas3pY0Mv/QsiCZs4IiU1pANyNxd:feEky+T7kWYT/QF7pANyN
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 26 3572 msiexec.exe 27 3572 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe -
Executes dropped EXE 1 IoCs
Processes:
CShell.exepid process 3844 CShell.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5673cd.msi msiexec.exe File opened for modification C:\Windows\Installer\e5673cd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3572 msiexec.exe 3572 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4104 msiexec.exe Token: SeIncreaseQuotaPrivilege 4104 msiexec.exe Token: SeSecurityPrivilege 3572 msiexec.exe Token: SeCreateTokenPrivilege 4104 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4104 msiexec.exe Token: SeLockMemoryPrivilege 4104 msiexec.exe Token: SeIncreaseQuotaPrivilege 4104 msiexec.exe Token: SeMachineAccountPrivilege 4104 msiexec.exe Token: SeTcbPrivilege 4104 msiexec.exe Token: SeSecurityPrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeLoadDriverPrivilege 4104 msiexec.exe Token: SeSystemProfilePrivilege 4104 msiexec.exe Token: SeSystemtimePrivilege 4104 msiexec.exe Token: SeProfSingleProcessPrivilege 4104 msiexec.exe Token: SeIncBasePriorityPrivilege 4104 msiexec.exe Token: SeCreatePagefilePrivilege 4104 msiexec.exe Token: SeCreatePermanentPrivilege 4104 msiexec.exe Token: SeBackupPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeShutdownPrivilege 4104 msiexec.exe Token: SeDebugPrivilege 4104 msiexec.exe Token: SeAuditPrivilege 4104 msiexec.exe Token: SeSystemEnvironmentPrivilege 4104 msiexec.exe Token: SeChangeNotifyPrivilege 4104 msiexec.exe Token: SeRemoteShutdownPrivilege 4104 msiexec.exe Token: SeUndockPrivilege 4104 msiexec.exe Token: SeSyncAgentPrivilege 4104 msiexec.exe Token: SeEnableDelegationPrivilege 4104 msiexec.exe Token: SeManageVolumePrivilege 4104 msiexec.exe Token: SeImpersonatePrivilege 4104 msiexec.exe Token: SeCreateGlobalPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 3572 msiexec.exe Token: SeTakeOwnershipPrivilege 3572 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exeCShell.exedescription pid process target process PID 2020 wrote to memory of 3844 2020 806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe CShell.exe PID 2020 wrote to memory of 3844 2020 806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe CShell.exe PID 2020 wrote to memory of 3844 2020 806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe CShell.exe PID 3844 wrote to memory of 4104 3844 CShell.exe msiexec.exe PID 3844 wrote to memory of 4104 3844 CShell.exe msiexec.exe PID 3844 wrote to memory of 4104 3844 CShell.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe"C:\Users\Admin\AppData\Local\Temp\806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe" APPLICATIONFOLDER="D:\Apps\CShell" /qn2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\ProgramData\ClassicShellSetup64_4_3_1.msi" APPLICATIONFOLDER="D:\Apps\CShell" /qn3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ClassicShellSetup64_4_3_1.msiFilesize
4.9MB
MD53a9ced12ba930d535142b39784ea08d6
SHA1f2f9292bbe66ad212d86a3fbb86c48096dbdc319
SHA256a23720f2f68e0100794db619339df333a2e889a21d198337012cbd4f1d6861e3
SHA5124c9ee8c1afb24bfc38af92e3b40675b968574662622059187ff64192af29aebd1ff798b8e974393e80506ee1117216a0a1f20d7c13602919e6ffa121602df1d3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exeFilesize
7.0MB
MD5da9085c5a9749d328b5ab13e69153deb
SHA1cae9bc13eb12cac63a3cca40a0678c3ed83e50ec
SHA2569c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58
SHA512c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exeFilesize
7.0MB
MD5da9085c5a9749d328b5ab13e69153deb
SHA1cae9bc13eb12cac63a3cca40a0678c3ed83e50ec
SHA2569c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58
SHA512c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exeFilesize
7.0MB
MD5da9085c5a9749d328b5ab13e69153deb
SHA1cae9bc13eb12cac63a3cca40a0678c3ed83e50ec
SHA2569c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58
SHA512c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d