Analysis
-
max time kernel
127s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 14:38
Static task
static1
Behavioral task
behavioral1
Sample
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe
Resource
win10v2004-20230220-en
General
-
Target
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe
-
Size
7.5MB
-
MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef
-
SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6
-
SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
-
SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
-
SSDEEP
196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy
Malware Config
Extracted
laplas
http://185.174.137.94
-
api_key
b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe -
Executes dropped EXE 1 IoCs
Processes:
svcservice.exepid process 4780 svcservice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exesvcservice.exepid process 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 4780 svcservice.exe 4780 svcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exesvcservice.exepid process 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe 4780 svcservice.exe 4780 svcservice.exe 4780 svcservice.exe 4780 svcservice.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exedescription pid process target process PID 5112 wrote to memory of 4780 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe svcservice.exe PID 5112 wrote to memory of 4780 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe svcservice.exe PID 5112 wrote to memory of 4780 5112 ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe svcservice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe"C:\Users\Admin\AppData\Local\Temp\ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
125.0MB
MD55d74ca051c93f896934431df1823e73a
SHA12ca937c09cb4a763f0a52a2e859e8fbd0970fc62
SHA2566cf97969d52cb2ec8861e1a54c2f30c8b443e058af2056e907dffc90aa0ea574
SHA512a4d20306bfac2234e260bbceb8e4c3963dd72506c83e6a16fe5f61380d60fbd076881be704538faec3078af32e03de8b7e5bdfb38da3e50495094e7fb2faf5df
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
118.8MB
MD59b386ef7c6cd578a064f6ab4ea1d49ac
SHA1225b591bd06d5f5d954524aae510da5b222f7448
SHA256fac1570d4b52dc6ec2eb3f9fa4db07e93d4f221857e809542a0dfccf9c84e8c7
SHA512be4619c6459741a257e9c326e95ef8df02e2a74ab254fe0b3a4aff3c8b64b2444b89ae9593f4bc3b3eedc23ac41bdcc0974e1f0a9260a48474a9f7ec46ff2fc4
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
119.4MB
MD5e3cc4a80050cb7afea8ef01f9c8bb852
SHA1d0aa159e66b7842f924255eb55cc7c33055bf866
SHA2569f13ac295e9640e51a097690ec4dbdf1826636a83e1cf24d32c3a4dc769e4eae
SHA5129578fc99d1d5a4a41e31724c62ca1fec151c0a67b52cfef9b7a988f16640092189b4efa27a3301c7ad9bcac08e48ce9ad716df14025e81ff601f8f48091c70a4
-
memory/4780-163-0x0000000000970000-0x000000000151B000-memory.dmpFilesize
11.7MB
-
memory/4780-159-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/4780-155-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/4780-156-0x0000000001A60000-0x0000000001A61000-memory.dmpFilesize
4KB
-
memory/4780-157-0x0000000001A70000-0x0000000001A71000-memory.dmpFilesize
4KB
-
memory/4780-158-0x0000000003430000-0x0000000003431000-memory.dmpFilesize
4KB
-
memory/4780-160-0x0000000003450000-0x0000000003451000-memory.dmpFilesize
4KB
-
memory/4780-161-0x0000000003460000-0x0000000003461000-memory.dmpFilesize
4KB
-
memory/4780-162-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/5112-134-0x0000000001450000-0x0000000001451000-memory.dmpFilesize
4KB
-
memory/5112-135-0x0000000001460000-0x0000000001461000-memory.dmpFilesize
4KB
-
memory/5112-136-0x0000000001480000-0x0000000001481000-memory.dmpFilesize
4KB
-
memory/5112-133-0x0000000001440000-0x0000000001441000-memory.dmpFilesize
4KB
-
memory/5112-137-0x0000000001490000-0x0000000001491000-memory.dmpFilesize
4KB
-
memory/5112-141-0x00000000001F0000-0x0000000000D9B000-memory.dmpFilesize
11.7MB
-
memory/5112-140-0x0000000003130000-0x0000000003131000-memory.dmpFilesize
4KB
-
memory/5112-139-0x00000000014B0000-0x00000000014B1000-memory.dmpFilesize
4KB
-
memory/5112-138-0x00000000014A0000-0x00000000014A1000-memory.dmpFilesize
4KB