a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
303s
max time network
339s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/NetPakoe3.0.exe
Size

188KB
MD5

912c74cb1e5e132515956f5c8470114a
SHA1

71556617096cdb4b70b220568f1d3697362c14a5
SHA256

6376111c1c39414187abeae4c6a75ae58351b2202802afc9bde2be5ceae0f400
SHA512

c4a0a299d085a33e567ebcc6586c911a130425c805d71175362c09c46eb0739a040c787fa1d3f9e9f06aad14bac686adc10d1bae75602e96f1c7238f3d4e73d6
SSDEEP

3072:YhM2idhON/D8259BH1DzJ5PzVNtGgc+F9TBfV0gwzH:Yh3idhONY259BH1DzJ5PzVNtGgc+F9TA

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NetPakoe3.0.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	NetPakoe3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program = "C:\\TEMP\\NetPakoe3.0.exe /autorun"	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4704 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4704 AUDIODG.EXE

description	pid	process
Token: 33	4704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4704	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NetPakoe3.0.exewscript.exe

description	pid	process	target process
PID 5004 wrote to memory of 2320	5004	NetPakoe3.0.exe	wscript.exe
PID 5004 wrote to memory of 2320	5004	NetPakoe3.0.exe	wscript.exe
PID 2320 wrote to memory of 4528	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 4528	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3172	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3172	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3500	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3500	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3772	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3772	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3120	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3120	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 4308	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 4308	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 2136	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 2136	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3576	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3576	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 4224	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 4224	2320	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1FE.tmp\A1FF.vbs //Nologo
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2192

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2832

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4620

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:392

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2900

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4496

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:316

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:1260

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:5084

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:3720

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:3580

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:3212

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:4788

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:3672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2532

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:1528

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:1708

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5028

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:4388

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4752

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:3980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1408

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:3404

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2788

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:4284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4588

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:2416

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:3552

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4360

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:4268

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4676

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:656

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:4412

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:4976

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x454
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1FE.tmp\A1FF.vbs
Filesize
11KB

MD5
36072dc09cf0a99e3936b50bacd9a3e5

SHA1
731ede51ad7869ae0b01248267b0354a5fe52cba

SHA256
a8dd0c012506f5ec41f90909e88de316ce3cbdb294db2b925c832af104e8b94f

SHA512
c4d9858e67295ef124218e2493e9990427df16bc722df621ffebbcc4229e270f42fbccd9a2376448c19319ab18c1982f6d9a7371a77c148d434a64b8fe0a874d

Download Submit
memory/316-149-0x0000000000000000-mapping.dmp

Download
memory/392-146-0x0000000000000000-mapping.dmp

Download
memory/656-177-0x0000000000000000-mapping.dmp

Download
memory/1260-150-0x0000000000000000-mapping.dmp

Download
memory/1408-165-0x0000000000000000-mapping.dmp

Download
memory/1528-158-0x0000000000000000-mapping.dmp

Download
memory/1708-159-0x0000000000000000-mapping.dmp

Download
memory/1828-176-0x0000000000000000-mapping.dmp

Download
memory/2136-140-0x0000000000000000-mapping.dmp

Download
memory/2192-143-0x0000000000000000-mapping.dmp

Download
memory/2264-180-0x0000000000000000-mapping.dmp

Download
memory/2320-132-0x0000000000000000-mapping.dmp

Download
memory/2416-170-0x0000000000000000-mapping.dmp

Download
memory/2532-157-0x0000000000000000-mapping.dmp

Download
memory/2788-167-0x0000000000000000-mapping.dmp

Download
memory/2832-144-0x0000000000000000-mapping.dmp

Download
memory/2900-147-0x0000000000000000-mapping.dmp

Download
memory/2992-172-0x0000000000000000-mapping.dmp

Download
memory/3120-138-0x0000000000000000-mapping.dmp

Download
memory/3172-135-0x0000000000000000-mapping.dmp

Download
memory/3212-154-0x0000000000000000-mapping.dmp

Download
memory/3404-166-0x0000000000000000-mapping.dmp

Download
memory/3500-136-0x0000000000000000-mapping.dmp

Download
memory/3552-171-0x0000000000000000-mapping.dmp

Download
memory/3576-141-0x0000000000000000-mapping.dmp

Download
memory/3580-153-0x0000000000000000-mapping.dmp

Download
memory/3672-156-0x0000000000000000-mapping.dmp

Download
memory/3720-152-0x0000000000000000-mapping.dmp

Download
memory/3772-137-0x0000000000000000-mapping.dmp

Download
memory/3980-164-0x0000000000000000-mapping.dmp

Download
memory/4196-160-0x0000000000000000-mapping.dmp

Download
memory/4224-142-0x0000000000000000-mapping.dmp

Download
memory/4268-174-0x0000000000000000-mapping.dmp

Download
memory/4284-168-0x0000000000000000-mapping.dmp

Download
memory/4308-139-0x0000000000000000-mapping.dmp

Download
memory/4360-173-0x0000000000000000-mapping.dmp

Download
memory/4388-162-0x0000000000000000-mapping.dmp

Download
memory/4412-178-0x0000000000000000-mapping.dmp

Download
memory/4496-148-0x0000000000000000-mapping.dmp

Download
memory/4528-134-0x0000000000000000-mapping.dmp

Download
memory/4588-169-0x0000000000000000-mapping.dmp

Download
memory/4620-145-0x0000000000000000-mapping.dmp

Download
memory/4676-175-0x0000000000000000-mapping.dmp

Download
memory/4752-163-0x0000000000000000-mapping.dmp

Download
memory/4788-155-0x0000000000000000-mapping.dmp

Download
memory/4976-179-0x0000000000000000-mapping.dmp

Download
memory/5028-161-0x0000000000000000-mapping.dmp

Download
memory/5084-151-0x0000000000000000-mapping.dmp

Download