Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
02-10-2022 11:52
General
-
Target
ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d.exe
-
Size
177KB
-
MD5
66d6129b6222698871dfe75744574140
-
SHA1
8cfcc9b2eb0bdf57c672c2717698449c6365e727
-
SHA256
ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d
-
SHA512
5c979ca7df678d4c0b83c7b1f181d74f1e06419b916bb0fa9fe69fcca43d967f54564363b0090550f5a14a23a2d4c789ee55110aca5222ab5f9b8f0a5ec2fbcd
-
SSDEEP
3072:mH4MnMqAOOtxTb1DG4SWeIajBsVroNw7dVQoD43GD5a7IW+:mHZnMqALTmIajSdoNQdWoD485a7ID
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 3 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d.exe"C:\Users\Admin\AppData\Local\Temp\ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 2043⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:82950 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 2043⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
-
-
-
C:\Users\Admin\AppData\Local\Temp\gwvdiqeh.exe"C:\Users\Admin\AppData\Local\Temp\gwvdiqeh.exe" elevate2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\gwvdiqeh.exe"" admin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gwvdiqeh.exe"C:\Users\Admin\AppData\Local\Temp\gwvdiqeh.exe" admin4⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6085⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6245⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 7243⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 8843⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 12002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 22081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3980 -ip 39801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5032 -ip 50321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3560 -ip 35601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 50321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3560 -ip 35601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 956 -ip 9561⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5fd70739fca5345a28f924f9102ae10ee
SHA16ce3f92183544f3bf52cb76364591589cb940a19
SHA256f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7
SHA512a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278
-
Filesize
404B
MD5b4085c565853bf02c4bfe00a8001a6ca
SHA1138bbd6e9e38ae8a2646c6057b36f4001f14a3ae
SHA256bffa9954702df9ae9a475345ed4e58df146d902af3aed53947ae05c75b1ca387
SHA5123e22c0e522d3a748b496e776bc77ffb314199c558bbae689eff0aafddddaf7ba8d10d62c4ab45d218378df7667edf0be064b49e38fd4706f88bf96a7a092ac18
-
Filesize
177KB
MD566d6129b6222698871dfe75744574140
SHA18cfcc9b2eb0bdf57c672c2717698449c6365e727
SHA256ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d
SHA5125c979ca7df678d4c0b83c7b1f181d74f1e06419b916bb0fa9fe69fcca43d967f54564363b0090550f5a14a23a2d4c789ee55110aca5222ab5f9b8f0a5ec2fbcd
-
Filesize
177KB
MD566d6129b6222698871dfe75744574140
SHA18cfcc9b2eb0bdf57c672c2717698449c6365e727
SHA256ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d
SHA5125c979ca7df678d4c0b83c7b1f181d74f1e06419b916bb0fa9fe69fcca43d967f54564363b0090550f5a14a23a2d4c789ee55110aca5222ab5f9b8f0a5ec2fbcd
-
Filesize
177KB
MD566d6129b6222698871dfe75744574140
SHA18cfcc9b2eb0bdf57c672c2717698449c6365e727
SHA256ef39e86415c40bd689daa72244dc89e85a627984b062b6f625755d1cb20bfd1d
SHA5125c979ca7df678d4c0b83c7b1f181d74f1e06419b916bb0fa9fe69fcca43d967f54564363b0090550f5a14a23a2d4c789ee55110aca5222ab5f9b8f0a5ec2fbcd
-
-
Filesize
216KB
-
Filesize
224KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
224KB
-
-
Filesize
224KB
-
Filesize
92KB
-
-
Filesize
216KB
-
-
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
92KB