0fa41ef1fdafc8802949cc226b5ef2f8986ce09d2b26f0562b18b4a62c459609

Analysis

max time kernel
228s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unknown.exe
Size

1.9MB
MD5

9d3b27b3a999b235deceb897431d9cad
SHA1

caf056a08abe9dc8dc63ccb93609ad811c248937
SHA256

0fa41ef1fdafc8802949cc226b5ef2f8986ce09d2b26f0562b18b4a62c459609
SHA512

a695f864a69112b6ffed501c2b2fa0652106915e9292c64b005fc668bc0b4f7ece0b2cfe5a525cf018c0389b65f32e12a29376d50689573d6322ee486562cb6e
SSDEEP

24576:u7FUDowAyrTVE3U5FmqT7z1klhAhH6m5x7awFhJdNo69lOy7KTijlA:uBuZrEUL3ilhAZv55DdN7POGjG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4340	unknown.tmp
2552	unknown.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	unknown.tmp

Loads dropped DLL 2 IoCs

pid	Process
4340	unknown.tmp
2552	unknown.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	217.160.70.42

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 4516	2552	unknown.tmp	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC_installer\unins000.dat	unknown.tmp
File created	C:\Program Files (x86)\PC_installer\is-F8ASV.tmp	unknown.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	4516	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2552	unknown.tmp
2552	unknown.tmp
2552	unknown.tmp
2552	unknown.tmp
2552	unknown.tmp
2552	unknown.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2552	unknown.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 4340	2056	unknown.exe	82
PID 2056 wrote to memory of 4340	2056	unknown.exe	82
PID 2056 wrote to memory of 4340	2056	unknown.exe	82
PID 4340 wrote to memory of 4540	4340	unknown.tmp	84
PID 4340 wrote to memory of 4540	4340	unknown.tmp	84
PID 4340 wrote to memory of 4540	4340	unknown.tmp	84
PID 4540 wrote to memory of 2552	4540	unknown.exe	85
PID 4540 wrote to memory of 2552	4540	unknown.exe	85
PID 4540 wrote to memory of 2552	4540	unknown.exe	85
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86
PID 2552 wrote to memory of 4516	2552	unknown.tmp	86

C:\Users\Admin\AppData\Local\Temp\unknown.exe
"C:\Users\Admin\AppData\Local\Temp\unknown.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\is-8G232.tmp\unknown.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8G232.tmp\unknown.tmp" /SL5="$E01BA,1133818,832512,C:\Users\Admin\AppData\Local\Temp\unknown.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\unknown.exe
    "C:\Users\Admin\AppData\Local\Temp\unknown.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\is-MDCVI.tmp\unknown.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MDCVI.tmp\unknown.tmp" /SL5="$F01BA,1133818,832512,C:\Users\Admin\AppData\Local\Temp\unknown.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe 99
        5⤵
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 904
        6⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4516 -ip 4516
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-8G232.tmp\unknown.tmp

Filesize
3.0MB

MD5
e8bbd5425ac1507a72fad12f513135d0

SHA1
6700c181e93d7787df9bd930dc37bcc1c29306c7

SHA256
f49aefb68a1e66c0b6454e9ce51430229f68e8c644dd2de60def4029f204978f

SHA512
8cf9eaaf6e0d56688bffa7646ed6bfbefeb6aad4e6b66a00f7f580285f559b8b31e7883774bbe6999b4dfab5b11b10743bcda4be71016f29c5eb29fea523db71

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CNERN.tmp\service.dll

Filesize
368KB

MD5
0df6a0de449cbc0f3331b33fbfc5b7c0

SHA1
3e41ade403f19ed56773bf8c1a365bd02adae0d1

SHA256
49f22332c61975e05449bd2eb9b800e213bc0808ef4c2d26e0af3bdd3f7fc396

SHA512
80ca7b46d3ee300a600790be88d7476861b4ba0b9f1da5e6529df4005aed89246ec05d31e40b89e41d17c7880e36f8c2d82fa5e47186abb36c1abf04e6001737

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLJ24.tmp\service.dll

Filesize
368KB

MD5
0df6a0de449cbc0f3331b33fbfc5b7c0

SHA1
3e41ade403f19ed56773bf8c1a365bd02adae0d1

SHA256
49f22332c61975e05449bd2eb9b800e213bc0808ef4c2d26e0af3bdd3f7fc396

SHA512
80ca7b46d3ee300a600790be88d7476861b4ba0b9f1da5e6529df4005aed89246ec05d31e40b89e41d17c7880e36f8c2d82fa5e47186abb36c1abf04e6001737

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MDCVI.tmp\unknown.tmp

Filesize
3.0MB

MD5
e8bbd5425ac1507a72fad12f513135d0

SHA1
6700c181e93d7787df9bd930dc37bcc1c29306c7

SHA256
f49aefb68a1e66c0b6454e9ce51430229f68e8c644dd2de60def4029f204978f

SHA512
8cf9eaaf6e0d56688bffa7646ed6bfbefeb6aad4e6b66a00f7f580285f559b8b31e7883774bbe6999b4dfab5b11b10743bcda4be71016f29c5eb29fea523db71

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MDCVI.tmp\unknown.tmp

Filesize
3.0MB

MD5
e8bbd5425ac1507a72fad12f513135d0

SHA1
6700c181e93d7787df9bd930dc37bcc1c29306c7

SHA256
f49aefb68a1e66c0b6454e9ce51430229f68e8c644dd2de60def4029f204978f

SHA512
8cf9eaaf6e0d56688bffa7646ed6bfbefeb6aad4e6b66a00f7f580285f559b8b31e7883774bbe6999b4dfab5b11b10743bcda4be71016f29c5eb29fea523db71

Download Submit
memory/2056-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2056-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2056-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2552-154-0x0000000000958000-0x0000000000994000-memory.dmp

Filesize
240KB

Download
memory/2552-151-0x0000000000958000-0x0000000000994000-memory.dmp

Filesize
240KB

Download
memory/4516-149-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/4516-148-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/4516-150-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/4516-152-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/4540-146-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4540-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4540-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download