36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
Size

134KB
MD5

1d09c0359f1a56d3bdae45fec6a08198
SHA1

25217472ee5a0f216199065ac2c1b3da57f22768
SHA256

36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f
SHA512

9614a00a9b38adf089bffb71d602bb4b5adcd5fa132bb247da99252729288a88ec948ba8825567e6799ccb9adcebb5b4c64193f9131e8695112a9b98cf6232be
SSDEEP

3072:Dxaw7lEvFCsE8uKqMJBrHnsAWNqubkdBytQlaVrAUdB1/:TlFstuKqMJ9Hn5WNqub/tpV841

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1580	trys.exe
4524	trys.exe
3260	trys.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4364-135-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4956-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4956-139-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4956-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4364-143-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4956-144-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4956-146-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0007000000022f64-150.dat	upx
behavioral2/files/0x0007000000022f64-151.dat	upx
behavioral2/memory/1580-152-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x0007000000022f64-157.dat	upx
behavioral2/memory/3260-161-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/files/0x0007000000022f64-163.dat	upx
behavioral2/memory/3260-166-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/1580-169-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3260-168-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/4956-171-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4524-170-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3260-172-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/4524-173-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3260-174-0x0000000013140000-0x0000000013162000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Windows\\trys.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 1580 set thread context of 4524	1580	trys.exe	93
PID 1580 set thread context of 3260	1580	trys.exe	94

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\trys.exe	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
File opened for modification	C:\Windows\trys.exe	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe
Token: SeDebugPrivilege	4524	trys.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
1580	trys.exe
1580	trys.exe
4524	trys.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4364 wrote to memory of 4956	4364	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	79
PID 4956 wrote to memory of 324	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	84
PID 4956 wrote to memory of 324	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	84
PID 4956 wrote to memory of 324	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	84
PID 324 wrote to memory of 2348	324	cmd.exe	88
PID 324 wrote to memory of 2348	324	cmd.exe	88
PID 324 wrote to memory of 2348	324	cmd.exe	88
PID 4956 wrote to memory of 1580	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	89
PID 4956 wrote to memory of 1580	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	89
PID 4956 wrote to memory of 1580	4956	36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe	89
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 4524	1580	trys.exe	93
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94
PID 1580 wrote to memory of 3260	1580	trys.exe	94

C:\Users\Admin\AppData\Local\Temp\36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
"C:\Users\Admin\AppData\Local\Temp\36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe
  "C:\Users\Admin\AppData\Local\Temp\36a750c858081673272be974a83656d1f0b2df630f5c997a7c0ebe88ab07a23f.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKSJT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Windows\trys.exe" /f
      4⤵
      Adds Run key to start application
      PID:2348
- - C:\Windows\trys.exe
    "C:\Windows\trys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4524
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YKSJT.bat

Filesize
115B

MD5
721f40b829b989f3ed90feba41b75b51

SHA1
0bc3e723b65a94c6ffbb8e0b32c9aaa24d10fefd

SHA256
641cbc8ccc1d7ffe1030ff40ea930cad57a855c5fa275bff57745b62d4545a15

SHA512
d11fa35712baa83380b1515242d85c1ce84ade1bd3e62144906b40c6e2d42c748d7813faaf05e5514048be3ae47fb29986e0a808c93eabf7128f31300c4d972f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
cc86f8e18af10f0244040166a4d43027

SHA1
8c0a3e4a47823fd4f2540ceb941cbbcfbea33fe4

SHA256
00b3566894284e32b5e18c5499e756eb8fa563c3972faad48b5a189991d91976

SHA512
6f49147142e932dd1c09f15b97377062259c359810632f62847806e52f2dc574751db09a59a6dc056a73bae8f480582c070682fffa98abfd723b93625467cbac

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
cc86f8e18af10f0244040166a4d43027

SHA1
8c0a3e4a47823fd4f2540ceb941cbbcfbea33fe4

SHA256
00b3566894284e32b5e18c5499e756eb8fa563c3972faad48b5a189991d91976

SHA512
6f49147142e932dd1c09f15b97377062259c359810632f62847806e52f2dc574751db09a59a6dc056a73bae8f480582c070682fffa98abfd723b93625467cbac

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
cc86f8e18af10f0244040166a4d43027

SHA1
8c0a3e4a47823fd4f2540ceb941cbbcfbea33fe4

SHA256
00b3566894284e32b5e18c5499e756eb8fa563c3972faad48b5a189991d91976

SHA512
6f49147142e932dd1c09f15b97377062259c359810632f62847806e52f2dc574751db09a59a6dc056a73bae8f480582c070682fffa98abfd723b93625467cbac

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
cc86f8e18af10f0244040166a4d43027

SHA1
8c0a3e4a47823fd4f2540ceb941cbbcfbea33fe4

SHA256
00b3566894284e32b5e18c5499e756eb8fa563c3972faad48b5a189991d91976

SHA512
6f49147142e932dd1c09f15b97377062259c359810632f62847806e52f2dc574751db09a59a6dc056a73bae8f480582c070682fffa98abfd723b93625467cbac

Download Submit
memory/324-145-0x0000000000000000-mapping.dmp

Download
memory/1580-169-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1580-152-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1580-149-0x0000000000000000-mapping.dmp

Download
memory/2348-148-0x0000000000000000-mapping.dmp

Download
memory/3260-166-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3260-168-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3260-174-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3260-172-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3260-161-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/3260-159-0x0000000000000000-mapping.dmp

Download
memory/4364-132-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4364-143-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4364-135-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4524-170-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4524-155-0x0000000000000000-mapping.dmp

Download
memory/4524-173-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-136-0x0000000000000000-mapping.dmp

Download
memory/4956-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-146-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-144-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download