Analysis
-
max time kernel
68s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe
Resource
win7-20220414-en
General
-
Target
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe
-
Size
1.9MB
-
MD5
abf7e26171a76f84b7548c70e4211c7b
-
SHA1
ffd622d897d936d5abf2bde3ad9ffad669987ceb
-
SHA256
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b
-
SHA512
0667bf7a70c2094fd5cb376de9a17a5dd66cfce32084276ea10011d80260a73f2ccf0ad3c0f8e35754fed09d9d3aaddd053cebad1581ae77db8c35c1cc3887e1
Malware Config
Extracted
socelars
http://www.createinfo.pw/
http://www.allinfo.pw/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpDiskScan.exepid process 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp 4932 DiskScan.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe upx C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe upx behavioral2/memory/4932-139-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/4932-141-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4468 4932 WerFault.exe DiskScan.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmppid process 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmppid process 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpdescription pid process target process PID 4232 wrote to memory of 900 4232 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp PID 4232 wrote to memory of 900 4232 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp PID 4232 wrote to memory of 900 4232 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp PID 900 wrote to memory of 4932 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp DiskScan.exe PID 900 wrote to memory of 4932 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp DiskScan.exe PID 900 wrote to memory of 4932 900 7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp DiskScan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe"C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-3MVO5.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp"C:\Users\Admin\AppData\Local\Temp\is-3MVO5.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmp" /SL5="$401CA,1302781,816640,C:\Users\Admin\AppData\Local\Temp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 11924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 49321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-3MVO5.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpFilesize
2.5MB
MD5066108c4b0102357ebdaf3791ba38fe8
SHA159e9e8043232169c0554e350c233433b0bc4c83c
SHA256a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035
SHA512a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2
-
C:\Users\Admin\AppData\Local\Temp\is-3MVO5.tmp\7f4312f898a352dd0e9c96b3f019807e2359d079b6c8cb0921e67709614bac7b.tmpFilesize
2.5MB
MD5066108c4b0102357ebdaf3791ba38fe8
SHA159e9e8043232169c0554e350c233433b0bc4c83c
SHA256a720dd6efcd1910ea490c0095ff0efa36eb5228712e61294eeb4b3072715c035
SHA512a2bb074f042d7214536083dfe341da9dafe1d170cf52e9c0f4ff0041f959d4a28cc6be9cb0e5ec3adf63188d658332b7440d6b5ac8e02af2801e7f34a04acad2
-
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exeFilesize
569KB
MD5eab34089ba89eb30bab4d46d0d1d7c63
SHA1676f13707c42ff4b0324ae9854096729f7541d0f
SHA25613f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78
SHA512c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e
-
C:\Users\Admin\AppData\Local\Temp\pdfreader2010\DiskScan.exeFilesize
569KB
MD5eab34089ba89eb30bab4d46d0d1d7c63
SHA1676f13707c42ff4b0324ae9854096729f7541d0f
SHA25613f90329010f340108f283ae7c832b5c51e32d4ddfd48657f8a9961b1b09ed78
SHA512c47ac4760e1950575d2f5012b2bfd029cbf1d670f9e075f2b2faa18a129785957342d3bef0f3120e37c4610a221f489aef705b8e647da0861d678278e77bff6e
-
memory/900-133-0x0000000000000000-mapping.dmp
-
memory/4232-130-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/4232-132-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/4232-140-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/4932-136-0x0000000000000000-mapping.dmp
-
memory/4932-139-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/4932-141-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB