72a54d59bdc50b9fa821b91f617258f844c1f014cfe169ca1f1f3769d9340df7

Analysis

max time kernel
121s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f245e4d845dc70162125e3cdee47d3.exe
Size

2.0MB
MD5

f0f245e4d845dc70162125e3cdee47d3
SHA1

ed18d4003721cc216c2009f7354c81d55d4c5619
SHA256

72a54d59bdc50b9fa821b91f617258f844c1f014cfe169ca1f1f3769d9340df7
SHA512

906c2053993f428cfc5a97263f201c1d195fbf322a0ca22cd24abb2e8bfa08f22a5f4703d018f7ab0ee5ed0ae6a0aa44a00d75abb24b1be169211758336b7bee
SSDEEP

24576:l7FUDowAyrTVE3U5FmcpExU1S+x25J7o59Sc/5x7awFhJdNo69lOy7KTijli:lBuZrEUEoyc/55DdN7POGj8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3604	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f0f245e4d845dc70162125e3cdee47d3.tmp

Loads dropped DLL 2 IoCs

pid	Process
3604	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	217.160.70.42

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC_installer\unins000.dat	f0f245e4d845dc70162125e3cdee47d3.tmp
File created	C:\Program Files (x86)\PC_installer\is-P94B4.tmp	f0f245e4d845dc70162125e3cdee47d3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3344	4656	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4568	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp
4568	f0f245e4d845dc70162125e3cdee47d3.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4568	f0f245e4d845dc70162125e3cdee47d3.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3604	3140	f0f245e4d845dc70162125e3cdee47d3.exe	79
PID 3140 wrote to memory of 3604	3140	f0f245e4d845dc70162125e3cdee47d3.exe	79
PID 3140 wrote to memory of 3604	3140	f0f245e4d845dc70162125e3cdee47d3.exe	79
PID 3604 wrote to memory of 2040	3604	f0f245e4d845dc70162125e3cdee47d3.tmp	80
PID 3604 wrote to memory of 2040	3604	f0f245e4d845dc70162125e3cdee47d3.tmp	80
PID 3604 wrote to memory of 2040	3604	f0f245e4d845dc70162125e3cdee47d3.tmp	80
PID 2040 wrote to memory of 4568	2040	f0f245e4d845dc70162125e3cdee47d3.exe	81
PID 2040 wrote to memory of 4568	2040	f0f245e4d845dc70162125e3cdee47d3.exe	81
PID 2040 wrote to memory of 4568	2040	f0f245e4d845dc70162125e3cdee47d3.exe	81
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82
PID 4568 wrote to memory of 4656	4568	f0f245e4d845dc70162125e3cdee47d3.tmp	82

C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe
"C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\is-HKKMA.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HKKMA.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp" /SL5="$90068,1201179,832512,C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\is-5B77H.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5B77H.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp" /SL5="$A0068,1201179,832512,C:\Users\Admin\AppData\Local\Temp\f0f245e4d845dc70162125e3cdee47d3.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe 99
        5⤵
        
        PID:4656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 616
        6⤵
        Program crash
        
        PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4656 -ip 4656
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5B77H.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp

Filesize
3.0MB

MD5
7118bcb92b75d8a6407f0c953bc5e704

SHA1
87e4c6727af561b331dda6a8c643a389ff8a8967

SHA256
78bb03c3f0ce9fa4889ecd5f20b72b2a2f12b326815bba9ce7802d8f3c202bba

SHA512
49dd5f626d8f14af6b96ac65d66081f145b33f8fcd8e5f98f939be5b21a5d73b4516a952cab132b83f63664bdca2f7be2b5c0613034d01bae0bd142db2ae5efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5B77H.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp

Filesize
3.0MB

MD5
7118bcb92b75d8a6407f0c953bc5e704

SHA1
87e4c6727af561b331dda6a8c643a389ff8a8967

SHA256
78bb03c3f0ce9fa4889ecd5f20b72b2a2f12b326815bba9ce7802d8f3c202bba

SHA512
49dd5f626d8f14af6b96ac65d66081f145b33f8fcd8e5f98f939be5b21a5d73b4516a952cab132b83f63664bdca2f7be2b5c0613034d01bae0bd142db2ae5efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7U7BE.tmp\service.dll

Filesize
373KB

MD5
c708050b3e483c1ed21d708a1f73af0c

SHA1
d4f20b411202da536cf217e442236d3239c9302d

SHA256
a7a80a6f1f7bb19eba9392799852dba58f16461b98662b13370919c32d4fc2d4

SHA512
d12133776afc185e0779dd76f52cd30826c6e667108c49ba6bb48129c68c1145066c46caf4fb31aaee6d3cab3174409281d6926b3f9ded3f6d8f7c755d426a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8FCUI.tmp\service.dll

Filesize
373KB

MD5
c708050b3e483c1ed21d708a1f73af0c

SHA1
d4f20b411202da536cf217e442236d3239c9302d

SHA256
a7a80a6f1f7bb19eba9392799852dba58f16461b98662b13370919c32d4fc2d4

SHA512
d12133776afc185e0779dd76f52cd30826c6e667108c49ba6bb48129c68c1145066c46caf4fb31aaee6d3cab3174409281d6926b3f9ded3f6d8f7c755d426a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HKKMA.tmp\f0f245e4d845dc70162125e3cdee47d3.tmp

Filesize
3.0MB

MD5
7118bcb92b75d8a6407f0c953bc5e704

SHA1
87e4c6727af561b331dda6a8c643a389ff8a8967

SHA256
78bb03c3f0ce9fa4889ecd5f20b72b2a2f12b326815bba9ce7802d8f3c202bba

SHA512
49dd5f626d8f14af6b96ac65d66081f145b33f8fcd8e5f98f939be5b21a5d73b4516a952cab132b83f63664bdca2f7be2b5c0613034d01bae0bd142db2ae5efe

Download Submit
memory/2040-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2040-138-0x0000000000000000-mapping.dmp

Download
memory/2040-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2040-153-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3140-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3140-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3140-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/4568-143-0x0000000000000000-mapping.dmp

Download
memory/4568-149-0x0000000000918000-0x0000000000953000-memory.dmp

Filesize
236KB

Download
memory/4568-154-0x0000000000918000-0x0000000000953000-memory.dmp

Filesize
236KB

Download
memory/4656-148-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/4656-150-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/4656-146-0x0000000000000000-mapping.dmp

Download
memory/4656-152-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/4656-147-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download