77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
Size

192KB
MD5

79078652e272f139049a2981fad615f0
SHA1

f47020d40cca1c605a7cb3006bad00b30521a2eb
SHA256

77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02
SHA512

052b07640c78ea0c8c038127dde38ea73aa8c220dab086201c00c73c32efbad98b8784377effd8cf1a8832a9393b49f85ebe7b024d77e334344684668fb20862
SSDEEP

3072:nbLpZuEskJoU4aNuWXiHFcvzIb0rGwYbNdYYEspo39i+bDhwIGfeu1mrsg:nbOOxPXiHYzFkNdYmpoZfhwbmuAog

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1320	ns89C.tmp
2036	unrar.exe
1664	01.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012744-62.dat	upx
behavioral1/files/0x0008000000012744-63.dat	upx
behavioral1/files/0x0008000000012744-64.dat	upx
behavioral1/files/0x0008000000012744-66.dat	upx
behavioral1/files/0x0008000000012744-68.dat	upx
behavioral1/files/0x0008000000012744-70.dat	upx
behavioral1/files/0x0008000000012744-69.dat	upx
behavioral1/memory/2036-72-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	01.exe

Loads dropped DLL 13 IoCs

pid	Process
1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
1320	ns89C.tmp
1320	ns89C.tmp
2036	unrar.exe
2036	unrar.exe
2036	unrar.exe
1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
1664	01.exe
1664	01.exe
1664	01.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdhtx.exe"	01.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdhtx.exe	01.exe
File opened for modification	C:\Windows\SysWOW64\kdhtx.exe	01.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 1608	1664	01.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo	01.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International	01.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	01.exe
1664	01.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1664	01.exe
Token: SeSecurityPrivilege	1664	01.exe
Token: SeTakeOwnershipPrivilege	1664	01.exe
Token: SeLoadDriverPrivilege	1664	01.exe
Token: SeSystemProfilePrivilege	1664	01.exe
Token: SeSystemtimePrivilege	1664	01.exe
Token: SeProfSingleProcessPrivilege	1664	01.exe
Token: SeIncBasePriorityPrivilege	1664	01.exe
Token: SeCreatePagefilePrivilege	1664	01.exe
Token: SeBackupPrivilege	1664	01.exe
Token: SeRestorePrivilege	1664	01.exe
Token: SeShutdownPrivilege	1664	01.exe
Token: SeDebugPrivilege	1664	01.exe
Token: SeSystemEnvironmentPrivilege	1664	01.exe
Token: SeChangeNotifyPrivilege	1664	01.exe
Token: SeRemoteShutdownPrivilege	1664	01.exe
Token: SeUndockPrivilege	1664	01.exe
Token: SeManageVolumePrivilege	1664	01.exe
Token: SeImpersonatePrivilege	1664	01.exe
Token: SeCreateGlobalPrivilege	1664	01.exe
Token: 33	1664	01.exe
Token: 34	1664	01.exe
Token: 35	1664	01.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1412 wrote to memory of 1320	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	27
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1320 wrote to memory of 2036	1320	ns89C.tmp	29
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1412 wrote to memory of 1664	1412	77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe	30
PID 1664 wrote to memory of 1608	1664	01.exe	32
PID 1664 wrote to memory of 1608	1664	01.exe	32
PID 1664 wrote to memory of 1608	1664	01.exe	32
PID 1664 wrote to memory of 1608	1664	01.exe	32

C:\Users\Admin\AppData\Local\Temp\77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
"C:\Users\Admin\AppData\Local\Temp\77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp
  "C:\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp" "C:\Users\Admin\AppData\Local\Temp\unrar.exe" e -o+ -unrar 00.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\unrar.exe
    "C:\Users\Admin\AppData\Local\Temp\unrar.exe" e -o+ -unrar 00.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\01.exe
  01.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00.exe

Filesize
32KB

MD5
610356225c90c68f9ad22b02350c787d

SHA1
e8195e37f55c1d7be10161a70cd3a9aee043cdae

SHA256
85baeca97212119393444b31e739ed1fd557d87fe3c4bb9690136286c57ac81d

SHA512
ce94f2d92610479747268b0d076058abe93a8f9d3f39f3ebef4670f357ef508e7b7812a410c2acde6140d42b128dc6ef357626d83006cb8af789bd3a6db743bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
64KB

MD5
32d4c7744887262eafa95452936b7521

SHA1
37e65424f7c4a8e361e75fc15dd68db578057d4c

SHA256
a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

SHA512
9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.exe

Filesize
90KB

MD5
d87ddf597baf91e7d32b20c0b4d855da

SHA1
4e855b5c03e0a52d8057bc86b83a07f10d00e455

SHA256
264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

SHA512
f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

Download Submit
\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
\Users\Admin\AppData\Local\Temp\nso88C.tmp\ns89C.tmp

Filesize
6KB

MD5
2b81b005983d2147fd587f6a54e2480e

SHA1
cb21d91fa43bec9b6948fdca4f312949e71beb9f

SHA256
e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

SHA512
b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

Download Submit
\Users\Admin\AppData\Local\Temp\nso88C.tmp\nsExec.dll

Filesize
6KB

MD5
03a1a9be1f1e72f926ec9161825eedd6

SHA1
d0574bafc615168c021788d413a3a73d275c492d

SHA256
8a8bce943b78093ecd86a42c203931ee625f445acf5cb5b705e3b7eaf29c7110

SHA512
8d82e15ee109d2236a995990fdd0c9fb39c9d3c4dea1c063f0806314e7a9d09a112f4f09091c265adba9f86ec7a0977294cce112e20ffb2f8b3ad62ab3dac396

Download Submit
memory/1320-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1608-95-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1664-84-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1664-88-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1664-94-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2036-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download