e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe
Size

1.1MB
MD5

6f2a786616e936353f9c3e1f35e01730
SHA1

9b9830459bef6aa5ec292cbf17be4cd72e409ecd
SHA256

e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662
SHA512

65db97646eb8522ce5509d24121eadba5e449d140828038de2034d65a5f7e5dd97813368f04e8500485de9bf6dedc5bc8abf9e6bda327085a5e625d4aa36666f
SSDEEP

24576:72O/GlARmF/w0dR4gptEUf0mfnV6ct7Yn7AMkycLTpppShFJ:g/w0LJIS0fn9/qTpqLJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

hpipl.comhpipl.com

pid process

376 hpipl.com
3168 hpipl.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hpipl.comRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpipl.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\ijxfn\\hpipl.com C:\\Users\\Admin\\AppData\\Roaming\\ijxfn\\mmous.jbu"	hpipl.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\ijxfn\\hpipl.com C:\\Users\\Admin\\AppData\\Roaming\\ijxfn\\mmous.jbu"	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

hpipl.com

description	pid	process	target process
PID 3168 set thread context of 2972	3168	hpipl.com	RegSvcs.exe
PID 3168 set thread context of 2084	3168	hpipl.com	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2656 2972 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
2656	2972	WerFault.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hpipl.comRegSvcs.exe

pid	process
376	hpipl.com
376	hpipl.com
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe
2084	RegSvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exehpipl.comhpipl.com

description	pid	process	target process
PID 1296 wrote to memory of 376	1296	e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe	hpipl.com
PID 1296 wrote to memory of 376	1296	e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe	hpipl.com
PID 1296 wrote to memory of 376	1296	e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe	hpipl.com
PID 376 wrote to memory of 3168	376	hpipl.com	hpipl.com
PID 376 wrote to memory of 3168	376	hpipl.com	hpipl.com
PID 376 wrote to memory of 3168	376	hpipl.com	hpipl.com
PID 3168 wrote to memory of 2972	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2972	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2972	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2972	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2084	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2084	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2084	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2084	3168	hpipl.com	RegSvcs.exe
PID 3168 wrote to memory of 2084	3168	hpipl.com	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe
"C:\Users\Admin\AppData\Local\Temp\e8743f06f20025a2c408dd712d19633b928dcbb13695f408560cc2ad5cf27662.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com
"C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com" mmous.jbu
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com
C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com C:\Users\Admin\AppData\Roaming\ijxfn\LBFOK
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 80
5⤵
- Program crash
PID:2656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\ijxfn\LBFOK
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2972 -ip 2972
1⤵
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ijxfn\LBFOK
Filesize
91KB

MD5
95da1e6539333b1e58e22e4615cb0138

SHA1
02f825b227f559539621e3bb042576c9792d61c7

SHA256
e56c096e7fbf783f01c6ab0a43792612b0b4659ae10d0109fc4c80c6ee85b98b

SHA512
09e75b4bc14339d6d39dcbe0e071fda9a7edd9f74147976b5a3db90ceb3d923e3b5ef00dee4dd2d678fa092566832092dd94c384819a473a17d916de19790daf

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\YMQGIX
Filesize
37KB

MD5
fc8b6b7d9510d0a9bbfc01f9693f9d7e

SHA1
01ba37b11e094021839021561a87f5287912c7cd

SHA256
e92e5ba42a32d4905ff85a84add0e329739c0bbe3bf0b4b17c7d7dbb4159ceb9

SHA512
51fc490c316eac9ac21c1cbb54fddcc5fd1cd9e910a7bac1d92dc4f3081afd34f4a65a1cfcb5cd3aa4ac30a61c6247950143e00f6e34cc57ba9274c6be463708

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\bmlxn.tvu
Filesize
502KB

MD5
b13e0d6875ae62f5b2ecd54a02a7b653

SHA1
d961994b7b83d40c295c8df1cec36458afb53a87

SHA256
45c1428c50b5dfb7abfe27ee0a9b7aba171c4b5df4f3d4aa7ffb0d97b27374cc

SHA512
b025330d82a405b1688129cc66cc8df0891378e166b540750ccea06f3d56a16ec504f78cc6b84c588116d24008cad0638e89b06c85388f103c9857fd2ebe9b94

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\fltio.phd
Filesize
91KB

MD5
b4b46bfbe36c41507e4e11db1bcefc21

SHA1
d2cd460364898786deebf8dc0df0f199f360b873

SHA256
f206412081ceefc177fcf8b582c682285f43010db4d987c00d01c10fe7e5aee5

SHA512
e39d31290d0ab72864c7aa6dffb8466cd098a9130c7014df6e76c0cca74dd95bde807f7a4113df8db5ecd834a0f71346a95ccdc6bea1c553a8e8e1f778ec65a9

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\gnqma.xvj
Filesize
11KB

MD5
3a565d1ed48165a093799f0ab8547ccf

SHA1
dba472229f646382ceca77ac3af55b25ce5946d3

SHA256
67de9cd7d8b0968bbb48b9df5fdfb6a6d374356eb6caa8766e8783f0f9fe131b

SHA512
aa9d2917781936548188eccc6f9d0bb0e248abe5059afa43aa8d63b9648e6e582ee67922665c4a53a67b3d1333c992906da85f20abd05e3599864242bd50ab70

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\hpipl.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\mdtqa.flp
Filesize
9KB

MD5
c897ff98f1e1b70734469863a07505c8

SHA1
e8b4194ac879d60b9de49b5820271f5c1680e0a2

SHA256
ba751fd519b521a6888dafe6d68fb21055782824340305095af6fa5ec93162ed

SHA512
81f3c95dc09675b5e2b71ba59fb62c4a3b03caca109898b94ee200e3392cd85650a6741f319e59aaf559b58496cbf9161e1f421a5b43e3092f21ff629e283217

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\mmous.jbu
Filesize
812KB

MD5
58be2d58669004af0d4c1dde3859621a

SHA1
25d7a66b2124b83c1ffb8002d505030b51a7934a

SHA256
df814f4932d70f16ec8c8f5df88bf8d80e8c89ff59ecc8bbfb1a8772c6a61813

SHA512
b9ce6ed6c6f3814b56b60fff0777f31a3270bd451efea30f59c2d0a1168de644a8abc8cfe639484603be2df560d4f062c9db12eaf15bd5a4d9d4538259f8fb6e

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\snwkw.ubk
Filesize
9KB

MD5
0f8be8f5649fe7e6e180e5ab68eb8f75

SHA1
9e17a69f410a7659e557f6e2de161a15fa0af061

SHA256
a406b84d7b2051794cd33c24710197c6639b79f66085f1fc8394a93073771cfd

SHA512
9553dae25b16ceb9f9ba1c9967e09692ba059ad0d315ef7e76e76f5888794bf3b589948392c93cad6c35117312a2aa493802dafd78b91875f74ae90735467de5

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\spd
Filesize
4B

MD5
098f6bcd4621d373cade4e832627b4f6

SHA1
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

SHA256
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

SHA512
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Download Submit
C:\Users\Admin\AppData\Roaming\ijxfn\uowhu.roa
Filesize
10KB

MD5
6e29cb059b73f17c8b423bef1281d147

SHA1
3351a3d464b42d45f0622e092e857cc060bfe5bf

SHA256
540dfe48b0a694972f00b94d03a808dfa1c027c0de791c279fa76e7bff8ed442

SHA512
5a70008b81008b6f62b90fd3e26f8fdf95f6df0fa16408dd6bf33a7cde8ac8c1c9175c9cab90be95940efabb6312e156ebf895fc3073dd438586fa715b8aacff

Download Submit
memory/376-132-0x0000000000000000-mapping.dmp

Download
memory/2084-148-0x0000000000000000-mapping.dmp

Download
memory/2084-149-0x0000000000800000-0x00000000008CC000-memory.dmp

Filesize
816KB

Download
memory/2084-151-0x0000000000800000-0x00000000008CC000-memory.dmp

Filesize
816KB

Download
memory/2084-152-0x0000000000800000-0x00000000008CC000-memory.dmp

Filesize
816KB

Download
memory/2084-154-0x0000000000800000-0x00000000008CC000-memory.dmp

Filesize
816KB

Download
memory/2972-146-0x0000000000000000-mapping.dmp

Download
memory/3168-143-0x0000000000000000-mapping.dmp

Download