Analysis
-
max time kernel
92s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 13:25
Static task
static1
Behavioral task
behavioral1
Sample
53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe
Resource
win10v2004-20220812-en
General
-
Target
53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe
-
Size
444KB
-
MD5
7ab6b6832ada10a6e0dfb8711e873179
-
SHA1
8839d370bf9bd62bd3879fbbd946cf5e2367a814
-
SHA256
53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215
-
SHA512
b647afd0f90638ed91c2dd4fdbd32659ec4da7f352230ed802fbe88e7a6b8d3b97737dffcdd30169590253786197e4071232338834de4b5f2c95d286557f6051
-
SSDEEP
6144:5ZunObR8sVImcyYC5JEY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPf:WK+mz1NE/Ds3fM20lHmYWwH3zuxPf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2884 loadwg.exe 772 zholwg.exe -
resource yara_rule behavioral2/files/0x0007000000022f58-133.dat upx behavioral2/files/0x0007000000022f58-134.dat upx behavioral2/memory/2884-135-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/2884-146-0x0000000000400000-0x00000000004AC000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe -
Loads dropped DLL 3 IoCs
pid Process 772 zholwg.exe 1944 53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe 2884 loadwg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2884-146-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 772 zholwg.exe 772 zholwg.exe 772 zholwg.exe 772 zholwg.exe 772 zholwg.exe 772 zholwg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2884 loadwg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 772 zholwg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2884 1944 53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe 76 PID 1944 wrote to memory of 2884 1944 53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe 76 PID 1944 wrote to memory of 2884 1944 53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe 76 PID 2884 wrote to memory of 772 2884 loadwg.exe 77 PID 2884 wrote to memory of 772 2884 loadwg.exe 77 PID 2884 wrote to memory of 772 2884 loadwg.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe"C:\Users\Admin\AppData\Local\Temp\53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zholwg.exezholwg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:772
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD55a74f1a22e11a717cff8bd4f6f18913d
SHA1459db43f79a38a9d67aeb248328039eb6c77ac43
SHA2560e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a
SHA512bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa
-
Filesize
333KB
MD55a74f1a22e11a717cff8bd4f6f18913d
SHA1459db43f79a38a9d67aeb248328039eb6c77ac43
SHA2560e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a
SHA512bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa
-
Filesize
18KB
MD5220d8ec3964ca685a336a8e64f28fc81
SHA11401474830040841961ab49a266a940ea13aee91
SHA25631e95fe36fd3edbed947759af089577b0cd8fc9f42a6b18c482d53b55c9af406
SHA51267ee6612a3911f02240ac12e47edbd6de94de50150d7b0b6a340b1f0712638e5d2f760fff4e41cbee115ce544746bf78f77a6fa910f16a2599c3bb333fc1a862
-
Filesize
18KB
MD5220d8ec3964ca685a336a8e64f28fc81
SHA11401474830040841961ab49a266a940ea13aee91
SHA25631e95fe36fd3edbed947759af089577b0cd8fc9f42a6b18c482d53b55c9af406
SHA51267ee6612a3911f02240ac12e47edbd6de94de50150d7b0b6a340b1f0712638e5d2f760fff4e41cbee115ce544746bf78f77a6fa910f16a2599c3bb333fc1a862
-
Filesize
25KB
MD50de9ad04546ca648ae0f8568c30bf4c2
SHA13a99c074da19ac4f5a55e7102f4e6914d3876722
SHA256ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c
SHA51219995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e
-
Filesize
25KB
MD50de9ad04546ca648ae0f8568c30bf4c2
SHA13a99c074da19ac4f5a55e7102f4e6914d3876722
SHA256ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c
SHA51219995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e
-
Filesize
25KB
MD50de9ad04546ca648ae0f8568c30bf4c2
SHA13a99c074da19ac4f5a55e7102f4e6914d3876722
SHA256ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c
SHA51219995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e
-
Filesize
25KB
MD50de9ad04546ca648ae0f8568c30bf4c2
SHA13a99c074da19ac4f5a55e7102f4e6914d3876722
SHA256ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c
SHA51219995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e