Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 12:55

General

  • Target

    77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe

  • Size

    192KB

  • MD5

    79078652e272f139049a2981fad615f0

  • SHA1

    f47020d40cca1c605a7cb3006bad00b30521a2eb

  • SHA256

    77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02

  • SHA512

    052b07640c78ea0c8c038127dde38ea73aa8c220dab086201c00c73c32efbad98b8784377effd8cf1a8832a9393b49f85ebe7b024d77e334344684668fb20862

  • SSDEEP

    3072:nbLpZuEskJoU4aNuWXiHFcvzIb0rGwYbNdYYEspo39i+bDhwIGfeu1mrsg:nbOOxPXiHYzFkNdYmpoZfhwbmuAog

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe
    "C:\Users\Admin\AppData\Local\Temp\77f9015d295f702cad0036a9fd7dc01ef7769797286f3c9c46d3ed71e4047d02.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\nsg72F4.tmp\ns7305.tmp
      "C:\Users\Admin\AppData\Local\Temp\nsg72F4.tmp\ns7305.tmp" "C:\Users\Admin\AppData\Local\Temp\unrar.exe" e -o+ -unrar 00.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Users\Admin\AppData\Local\Temp\unrar.exe
        "C:\Users\Admin\AppData\Local\Temp\unrar.exe" e -o+ -unrar 00.exe
        3⤵
        • Executes dropped EXE
        PID:1544
    • C:\Users\Admin\AppData\Local\Temp\01.exe
      01.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        3⤵
        • Modifies registry class
        PID:4936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\00.exe

    Filesize

    32KB

    MD5

    610356225c90c68f9ad22b02350c787d

    SHA1

    e8195e37f55c1d7be10161a70cd3a9aee043cdae

    SHA256

    85baeca97212119393444b31e739ed1fd557d87fe3c4bb9690136286c57ac81d

    SHA512

    ce94f2d92610479747268b0d076058abe93a8f9d3f39f3ebef4670f357ef508e7b7812a410c2acde6140d42b128dc6ef357626d83006cb8af789bd3a6db743bc

  • C:\Users\Admin\AppData\Local\Temp\01.exe

    Filesize

    64KB

    MD5

    32d4c7744887262eafa95452936b7521

    SHA1

    37e65424f7c4a8e361e75fc15dd68db578057d4c

    SHA256

    a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

    SHA512

    9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

  • C:\Users\Admin\AppData\Local\Temp\01.exe

    Filesize

    64KB

    MD5

    32d4c7744887262eafa95452936b7521

    SHA1

    37e65424f7c4a8e361e75fc15dd68db578057d4c

    SHA256

    a3a33908e030309a740e377e61f29ab5f299929d21973f318802ab56d9f34f66

    SHA512

    9bf415b139adaac0f7d986ae79807443457095e6a52b150ab97ce76a21cd5c6757cf882d808904164f81e03f3ca3bbdca9720ba94d4300f89cb31fd966e8aceb

  • C:\Users\Admin\AppData\Local\Temp\UnRAR.exe

    Filesize

    90KB

    MD5

    d87ddf597baf91e7d32b20c0b4d855da

    SHA1

    4e855b5c03e0a52d8057bc86b83a07f10d00e455

    SHA256

    264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

    SHA512

    f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

  • C:\Users\Admin\AppData\Local\Temp\nsg72F4.tmp\ns7305.tmp

    Filesize

    6KB

    MD5

    2b81b005983d2147fd587f6a54e2480e

    SHA1

    cb21d91fa43bec9b6948fdca4f312949e71beb9f

    SHA256

    e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

    SHA512

    b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

  • C:\Users\Admin\AppData\Local\Temp\nsg72F4.tmp\ns7305.tmp

    Filesize

    6KB

    MD5

    2b81b005983d2147fd587f6a54e2480e

    SHA1

    cb21d91fa43bec9b6948fdca4f312949e71beb9f

    SHA256

    e2b3645086c5e0c75e3676db80fdb5d6a31e0f5bc7ee1689d077de1d02f46e7a

    SHA512

    b436f636824291301543a3ecae879139bce22b9246cd01da4f1da65aa51122ce18feb53886eba398f51e991677c694ed244b0521a32d27be40c98523c0a845fb

  • C:\Users\Admin\AppData\Local\Temp\nsg72F4.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    03a1a9be1f1e72f926ec9161825eedd6

    SHA1

    d0574bafc615168c021788d413a3a73d275c492d

    SHA256

    8a8bce943b78093ecd86a42c203931ee625f445acf5cb5b705e3b7eaf29c7110

    SHA512

    8d82e15ee109d2236a995990fdd0c9fb39c9d3c4dea1c063f0806314e7a9d09a112f4f09091c265adba9f86ec7a0977294cce112e20ffb2f8b3ad62ab3dac396

  • C:\Users\Admin\AppData\Local\Temp\unrar.exe

    Filesize

    90KB

    MD5

    d87ddf597baf91e7d32b20c0b4d855da

    SHA1

    4e855b5c03e0a52d8057bc86b83a07f10d00e455

    SHA256

    264d49f5a489c51ba5f7b96e496120b5331625cbe67ea5b577acc63c12a21dac

    SHA512

    f6520aa83307eed340e214b4622f939a62dbbfdf9ce63e7c598250485615d617cb6eb503612e4440d55937e67d9bef270359c74a0efc4d082dc7e5d1355a3a26

  • memory/1544-140-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2896-144-0x000000006B800000-0x000000006B8F0000-memory.dmp

    Filesize

    960KB

  • memory/2896-157-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB