Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
15-04-2023 16:17
General
-
Target
Setup for cm2demo_oWTv-t1.exe
-
Size
1.7MB
-
MD5
99a9fbd5fee72ce51585309390a46717
-
SHA1
ff39c56312090a909c2c0c82629c552a3b252a98
-
SHA256
833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa
-
SHA512
97f9a98fb48c8281818163d3dbe66fa246e1fe6a5a67f15175419992b0ca389cbe086e457177c21ce9c99ff05a1e0b508812cdf30220090a438dd8c94f73c6b7
-
SSDEEP
24576:R4nXubIQGyxbPV0db26Wmd0l4sv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO7:Rqe3f61mZSffPMWrQ0ZkA
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FHMSI.tmp\Setup for cm2demo_oWTv-t1.tmp"C:\Users\Admin\AppData\Local\Temp\is-FHMSI.tmp\Setup for cm2demo_oWTv-t1.tmp" /SL5="$70078,831488,831488,C:\Users\Admin\AppData\Local\Temp\Setup for cm2demo_oWTv-t1.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-U9VV5.tmp\file_oWTv-t1.exe"C:\Users\Admin\AppData\Local\Temp\is-U9VV5.tmp\file_oWTv-t1.exe" /LANG=en /NA=Rh85hR643⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-U1E1K.tmp\file_oWTv-t1.tmp"C:\Users\Admin\AppData\Local\Temp\is-U1E1K.tmp\file_oWTv-t1.tmp" /SL5="$20208,1559708,780800,C:\Users\Admin\AppData\Local\Temp\is-U9VV5.tmp\file_oWTv-t1.exe" /LANG=en /NA=Rh85hR644⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XA1J85RH\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\is-FHMSI.tmp\Setup for cm2demo_oWTv-t1.tmpFilesize
3.0MB
MD50c229cd26910820581b5809c62fe5619
SHA128c0630385b21f29e3e2bcc34865e5d15726eaa0
SHA256abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3
SHA512b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a
-
C:\Users\Admin\AppData\Local\Temp\is-PVU9L.tmp\finish.pngFilesize
2KB
MD57afaf9e0e99fd80fa1023a77524f5587
SHA1e20c9c27691810b388c73d2ca3e67e109c2b69b6
SHA256760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0
SHA512a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044
-
C:\Users\Admin\AppData\Local\Temp\is-PVU9L.tmp\mainlogo.pngFilesize
7KB
MD5c552e74a342cb35fa8b45ed4190c1609
SHA11e914f5a79af3bc1dc990a9f2d1ebdb41edc82d5
SHA256d386a1220f26de84d3b9a220db6a058e94d82b2403c8f70103ee20fa5579407f
SHA51280837907c8febe9306b149114b637b491bedede7c49d426e6ce9c1b416014c4beb4de57da1bef39a3783a345971b92532ce374f9138255588ebae6d15232a081
-
C:\Users\Admin\AppData\Local\Temp\is-U1E1K.tmp\file_oWTv-t1.tmpFilesize
2.9MB
MD5623a3abd7b318e1f410b1e12a42c7b71
SHA188e34041850ec4019dae469adc608e867b936d21
SHA256fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3
SHA5129afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391
-
C:\Users\Admin\AppData\Local\Temp\is-U9VV5.tmp\file_oWTv-t1.exeFilesize
2.3MB
MD520e7817860584d82adfba3acaf368ed1
SHA13faecf1643bec7781feac4184c6eae606ecf2958
SHA25669bbd536793cf4d7e1deee84eb74ca9d19e8e4a6b15c22df4288a9c9dd15e9da
SHA512bd214e04aa79a99ca61158971559abd9a02d4137ac0e443f1eee685ec3743ce0522838ff286811d8d5defd974e7a037d9132a85bda4311e88eda2c0249dfaa9e
-
C:\Users\Admin\AppData\Local\Temp\is-U9VV5.tmp\file_oWTv-t1.exeFilesize
2.3MB
MD520e7817860584d82adfba3acaf368ed1
SHA13faecf1643bec7781feac4184c6eae606ecf2958
SHA25669bbd536793cf4d7e1deee84eb74ca9d19e8e4a6b15c22df4288a9c9dd15e9da
SHA512bd214e04aa79a99ca61158971559abd9a02d4137ac0e443f1eee685ec3743ce0522838ff286811d8d5defd974e7a037d9132a85bda4311e88eda2c0249dfaa9e
-
C:\Users\Admin\Downloads\cm2demo.zipFilesize
1.9MB
MD554803cf42ba84f17ad77eb066a1b51f5
SHA1130b1736fc5c5d32f17829b605209dbb7bf034a2
SHA256cdb7930dcb5e99eac92b8ddd8ab7f8301f07a68b3ea1ced8067141943fc2484e
SHA512d67b8b17fcf2794d3298ea5e3ba278333164caa39ccef55e284f27febdadf442ae52578f632b4c75f53c6e5efe7a4948036875fcdeac5aa83fea82720cd3ce20
-
\Users\Admin\AppData\Local\Temp\is-PVU9L.tmp\Helper.dllFilesize
2.0MB
MD54eb0347e66fa465f602e52c03e5c0b4b
SHA1fdfedb72614d10766565b7f12ab87f1fdca3ea81
SHA256c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc
SHA5124c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd
-
\Users\Admin\AppData\Local\Temp\is-PVU9L.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
\Users\Admin\AppData\Local\Temp\is-PVU9L.tmp\botva2.dllFilesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
memory/996-164-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/996-159-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/996-120-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3500-241-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3500-165-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3500-131-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3728-162-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3728-161-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3728-160-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3728-125-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3804-226-0x00000289EECB0000-0x00000289EECB2000-memory.dmpFilesize
8KB
-
memory/3804-229-0x00000289F31F0000-0x00000289F31F2000-memory.dmpFilesize
8KB
-
memory/3804-228-0x00000289F31C0000-0x00000289F31C2000-memory.dmpFilesize
8KB
-
memory/3804-187-0x00000289EE420000-0x00000289EE430000-memory.dmpFilesize
64KB
-
memory/3804-205-0x00000289EEA00000-0x00000289EEA10000-memory.dmpFilesize
64KB
-
memory/3804-224-0x00000289EEC30000-0x00000289EEC31000-memory.dmpFilesize
4KB
-
memory/3932-266-0x000001AD657E0000-0x000001AD657E2000-memory.dmpFilesize
8KB
-
memory/3932-297-0x000001AD670B0000-0x000001AD670B2000-memory.dmpFilesize
8KB
-
memory/3932-318-0x000001AD673F0000-0x000001AD673F2000-memory.dmpFilesize
8KB
-
memory/3932-307-0x000001AD673E0000-0x000001AD673E2000-memory.dmpFilesize
8KB
-
memory/3932-305-0x000001AD67130000-0x000001AD67132000-memory.dmpFilesize
8KB
-
memory/3932-254-0x000001AD55190000-0x000001AD55192000-memory.dmpFilesize
8KB
-
memory/3932-257-0x000001AD551C0000-0x000001AD551C2000-memory.dmpFilesize
8KB
-
memory/3932-303-0x000001AD67120000-0x000001AD67122000-memory.dmpFilesize
8KB
-
memory/3932-295-0x000001AD67440000-0x000001AD67442000-memory.dmpFilesize
8KB
-
memory/3932-301-0x000001AD670E0000-0x000001AD670E2000-memory.dmpFilesize
8KB
-
memory/3932-299-0x000001AD670D0000-0x000001AD670D2000-memory.dmpFilesize
8KB
-
memory/4920-183-0x0000000005470000-0x000000000547F000-memory.dmpFilesize
60KB
-
memory/4920-167-0x0000000005470000-0x000000000547F000-memory.dmpFilesize
60KB
-
memory/4920-168-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/4920-239-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4920-182-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4920-166-0x0000000000400000-0x00000000006EE000-memory.dmpFilesize
2.9MB
-
memory/4920-153-0x0000000005470000-0x000000000547F000-memory.dmpFilesize
60KB
-
memory/4920-145-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
