Analysis
-
max time kernel
34s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://disk.yandex.ru/d/7gd7nkrbQw6sQQ
Resource
win10v2004-20240508-en
General
-
Target
https://disk.yandex.ru/d/7gd7nkrbQw6sQQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Blockcontainerproviderdhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 5360 Blockcontainerproviderdhcp.exe 5720 Blockcontainerproviderdhcp.exe 5800 conhost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe Blockcontainerproviderdhcp.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\e1ef82546f0b02 Blockcontainerproviderdhcp.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\L2Schemas\Idle.exe Blockcontainerproviderdhcp.exe File opened for modification C:\Windows\L2Schemas\Idle.exe Blockcontainerproviderdhcp.exe File created C:\Windows\L2Schemas\6ccacd8608530f Blockcontainerproviderdhcp.exe File created C:\Windows\Cursors\RuntimeBroker.exe Blockcontainerproviderdhcp.exe File created C:\Windows\Cursors\9e8d7a4ca61bd9 Blockcontainerproviderdhcp.exe File created C:\Windows\ja-JP\RuntimeBroker.exe Blockcontainerproviderdhcp.exe File created C:\Windows\ja-JP\9e8d7a4ca61bd9 Blockcontainerproviderdhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings NEVERLOSE.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings NEVERLOSE.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Blockcontainerproviderdhcp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe 5360 Blockcontainerproviderdhcp.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5360 Blockcontainerproviderdhcp.exe Token: SeDebugPrivilege 5720 Blockcontainerproviderdhcp.exe Token: SeDebugPrivilege 5800 conhost.exe Token: SeBackupPrivilege 6012 svchost.exe Token: SeRestorePrivilege 6012 svchost.exe Token: SeSecurityPrivilege 6012 svchost.exe Token: SeTakeOwnershipPrivilege 6012 svchost.exe Token: 35 6012 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 560 wrote to memory of 4040 560 NEVERLOSE.exe 117 PID 560 wrote to memory of 4040 560 NEVERLOSE.exe 117 PID 560 wrote to memory of 4040 560 NEVERLOSE.exe 117 PID 5216 wrote to memory of 5256 5216 NEVERLOSE.exe 122 PID 5216 wrote to memory of 5256 5216 NEVERLOSE.exe 122 PID 5216 wrote to memory of 5256 5216 NEVERLOSE.exe 122 PID 4040 wrote to memory of 5308 4040 WScript.exe 123 PID 4040 wrote to memory of 5308 4040 WScript.exe 123 PID 4040 wrote to memory of 5308 4040 WScript.exe 123 PID 5308 wrote to memory of 5360 5308 cmd.exe 125 PID 5308 wrote to memory of 5360 5308 cmd.exe 125 PID 5360 wrote to memory of 5548 5360 Blockcontainerproviderdhcp.exe 126 PID 5360 wrote to memory of 5548 5360 Blockcontainerproviderdhcp.exe 126 PID 5548 wrote to memory of 5604 5548 cmd.exe 128 PID 5548 wrote to memory of 5604 5548 cmd.exe 128 PID 5548 wrote to memory of 5620 5548 cmd.exe 129 PID 5548 wrote to memory of 5620 5548 cmd.exe 129 PID 5256 wrote to memory of 5668 5256 WScript.exe 130 PID 5256 wrote to memory of 5668 5256 WScript.exe 130 PID 5256 wrote to memory of 5668 5256 WScript.exe 130 PID 5668 wrote to memory of 5720 5668 cmd.exe 132 PID 5668 wrote to memory of 5720 5668 cmd.exe 132 PID 5548 wrote to memory of 5800 5548 cmd.exe 133 PID 5548 wrote to memory of 5800 5548 cmd.exe 133
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/7gd7nkrbQw6sQQ1⤵PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3776,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:11⤵PID:3284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4880,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:11⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5256,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:81⤵PID:1152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5248,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:81⤵PID:2580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5772,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:81⤵PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5692,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:11⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6132,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:81⤵PID:2520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5704,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:11⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6616,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:81⤵PID:1500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6924,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:81⤵PID:3176
-
C:\Users\Admin\Downloads\NEVERLOSE.exe"C:\Users\Admin\Downloads\NEVERLOSE.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5308 -
C:\SavesMonitor\Blockcontainerproviderdhcp.exe"C:\SavesMonitor/Blockcontainerproviderdhcp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bza2MO65mN.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5548 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:5604
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5620
-
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5800
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3176
-
C:\Users\Admin\Downloads\NEVERLOSE.exe"C:\Users\Admin\Downloads\NEVERLOSE.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5668 -
C:\SavesMonitor\Blockcontainerproviderdhcp.exe"C:\SavesMonitor/Blockcontainerproviderdhcp.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5720
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56c43270f19233761545141a2175d00bc
SHA12af739400dd238badc0b7e9ce3d45e1eb0023e48
SHA25627b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4
SHA512b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6
-
Filesize
92B
MD5a65e78a870380ac9c4ba083569959d4a
SHA18d6c9d55106b4ac275b873db16c069a27b79609f
SHA256d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30
SHA5129021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44
-
Filesize
208B
MD5252c8a936c61108036239630f110d0b9
SHA1765fa5076b12b640ab968cc5279b540e9f161341
SHA256d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34
SHA512d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5
-
Filesize
1KB
MD51eff74e45bb1f7104e691358cb209546
SHA1253b13ffad516cc34704f5b882c6fa36953a953f
SHA2567ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc
SHA51244163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e
-
Filesize
209B
MD5572e5b8ad26a8182890e47673d0b5654
SHA161165e46d11316ac42010ca9fe9a6fa782872f32
SHA2563dc183225d21b68ead3d658bb1d2f20920ff32ef25d70e1463de199691a9f793
SHA512a872d2731acb541877ef1ecb1f9ea62ecb71b22647fdd4a3b4aff40e348a25ff02d3311c8e59d3e615931393519724d7baa956951e353cb512f8f1515312fd53