2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe
Size

7.6MB
MD5

e5a1acb94579e71fe2d8f6270a9e74f9
SHA1

0b889c8b72d25fcb8f0b4720e794a5d0c7b972d3
SHA256

2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa
SHA512

cc7886217bc4563f90aab497cc10dff73a02fc73c9870fdce2c428b64ccae3e7f5ef4bb9738f5be749db29e0529a8e233711fe0e978e2100af23a65d9b3582b8

Score

8^/10

persistence pyinstaller

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

back.exe

pid process

3612 back.exe

pid	process
3612	back.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe

Loads dropped DLL 6 IoCs

Processes:

back.exe

pid process

3612 back.exe
3612 back.exe
3612 back.exe
3612 back.exe
3612 back.exe
3612 back.exe

pid	process
3612	back.exe
3612	back.exe
3612	back.exe
3612	back.exe
3612	back.exe
3612	back.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\1024\\back.exe"	reg.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\1024\back.exe	pyinstaller
C:\1024\back.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4924 reg.exe

pid	process
4924	reg.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.execmd.exe

description	pid	process	target process
PID 3076 wrote to memory of 5064	3076	2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe	cmd.exe
PID 3076 wrote to memory of 5064	3076	2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe	cmd.exe
PID 3076 wrote to memory of 5064	3076	2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe	cmd.exe
PID 5064 wrote to memory of 4924	5064	cmd.exe	reg.exe
PID 5064 wrote to memory of 4924	5064	cmd.exe	reg.exe
PID 5064 wrote to memory of 4924	5064	cmd.exe	reg.exe
PID 5064 wrote to memory of 3612	5064	cmd.exe	back.exe
PID 5064 wrote to memory of 3612	5064	cmd.exe	back.exe
PID 5064 wrote to memory of 3612	5064	cmd.exe	back.exe
PID 5064 wrote to memory of 3612	5064	cmd.exe	back.exe
PID 5064 wrote to memory of 3612	5064	cmd.exe	back.exe

C:\Users\Admin\AppData\Local\Temp\2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe
"C:\Users\Admin\AppData\Local\Temp\2ad09b588aafcc6fe68557186238a4496d1ec57f35b693e6af724fad7d10b1fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\1024\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /d C:\1024\back.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4924

C:\1024\back.exe
C:\1024\back.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1024\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\1024\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\1024\_ctypes.pyd
Filesize
109KB

MD5
adad459a275b619f700d52a0f9470131

SHA1
632ef3a58fdfe15856a7102b3c3cf96ad9b17334

SHA256
2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4

SHA512
3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8

Download Submit
C:\1024\_ctypes.pyd
Filesize
109KB

MD5
adad459a275b619f700d52a0f9470131

SHA1
632ef3a58fdfe15856a7102b3c3cf96ad9b17334

SHA256
2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4

SHA512
3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8

Download Submit
C:\1024\_socket.pyd
Filesize
67KB

MD5
e55a5618e14a01bac452b8399e281d0d

SHA1
feb071df789f02cdfc0059dfbea1e2394bfd08ef

SHA256
04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c

SHA512
1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c

Download Submit
C:\1024\_socket.pyd
Filesize
67KB

MD5
e55a5618e14a01bac452b8399e281d0d

SHA1
feb071df789f02cdfc0059dfbea1e2394bfd08ef

SHA256
04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c

SHA512
1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c

Download Submit
C:\1024\back.exe
Filesize
2.2MB

MD5
6c21b7699b2b0379a519da3552b46759

SHA1
5d61a6016853cf8c9cfa0061813d4181804cc0cb

SHA256
204a29c6c97b09b3cda93f09b94ef26f91099d7fd49a2961db7c0b45c9648e3a

SHA512
d539b1e96d901057434c7a6c32eff88453a076a5a1de3ba01412a1499e3ba1122a00f0db8a72b69e10c82c6c498dafa4dfcf556edcd4154d8c6f7015cfa6c600

Download Submit
C:\1024\back.exe
Filesize
2.2MB

MD5
6c21b7699b2b0379a519da3552b46759

SHA1
5d61a6016853cf8c9cfa0061813d4181804cc0cb

SHA256
204a29c6c97b09b3cda93f09b94ef26f91099d7fd49a2961db7c0b45c9648e3a

SHA512
d539b1e96d901057434c7a6c32eff88453a076a5a1de3ba01412a1499e3ba1122a00f0db8a72b69e10c82c6c498dafa4dfcf556edcd4154d8c6f7015cfa6c600

Download Submit
C:\1024\base_library.zip
Filesize
767KB

MD5
22ef796871267efafaf34ecce8cec66f

SHA1
31b0645c7dfdd4dac9fed0635f9cb7479c3bd998

SHA256
45077691190b8cff40237164b5307f0b52fc90d3dca12f419092ec8a951ce078

SHA512
10a842e6f3959eb1dd5275b8f7dfc4874815ab636482cd1e9850a8230e923a01a3071c5ab8b19f960ac42c1dd82ea835d44ed1b08532a83193a7bd64f0b5156a

Download Submit
C:\1024\libffi-7.dll
Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\1024\libffi-7.dll
Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\1024\python38.dll
Filesize
3.7MB

MD5
d375b654850fa100d4a8d98401c1407f

SHA1
ed10c825535e8605b67bacd48f3fcecf978a3fee

SHA256
527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d

SHA512
fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3

Download Submit
C:\1024\python38.dll
Filesize
3.7MB

MD5
d375b654850fa100d4a8d98401c1407f

SHA1
ed10c825535e8605b67bacd48f3fcecf978a3fee

SHA256
527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d

SHA512
fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3

Download Submit
C:\1024\select.pyd
Filesize
23KB

MD5
39f61824d4e3d4be2d938a827bae18eb

SHA1
b7614cfbcdbd55ef1e4e8266722088d51ae102b8

SHA256
c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92

SHA512
9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa

Download Submit
C:\1024\select.pyd
Filesize
23KB

MD5
39f61824d4e3d4be2d938a827bae18eb

SHA1
b7614cfbcdbd55ef1e4e8266722088d51ae102b8

SHA256
c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92

SHA512
9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa

Download Submit
C:\1024\start.bat
Filesize
114B

MD5
8908f0bb021b0bc18a8511fc44fd9234

SHA1
72c979b0ea7f4aa0e81206e517eb86b1ca21500a

SHA256
1429c4fc01519794fa091c10bb9d89c6f6133604b473e726eec6a403c5d757fd

SHA512
d44dff063f4c37961b978eb40ce689fb308ea6d6b50ecff2e2d5ea51012f8fe953faa96e87bbc706b5b2a5de78e2d7646ace7c5aa98fa7f10febd7af6c378b83

Download Submit
memory/3612-133-0x0000000000000000-mapping.dmp

Download
memory/4924-132-0x0000000000000000-mapping.dmp

Download
memory/5064-130-0x0000000000000000-mapping.dmp

Download