Analysis

  • max time kernel
    150s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 05:12

General

  • Target

    57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe

  • Size

    239KB

  • MD5

    1c470acf85ef922149f351df9d40c1fc

  • SHA1

    66f619676f1b7bf535db17f56ca45343a5da86ef

  • SHA256

    57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94

  • SHA512

    8236d30214b0ae1a41cbf00f252aef9b144fa82abe50695b907e3924e31952c064d74004e42fd13c2c8d120a6be2ff9e53163889d5a8ddc69c6369ee54725ac0

  • SSDEEP

    6144:iKK/LAiOHJL1lf/AR0XTH8g/jGJGpy0/FKk2Jfd4dV:iKK/LAHJL1lf/XXTHD/jGJGw07P

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe
    "C:\Users\Admin\AppData\Local\Temp\57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\BG3ry23
      "BG3ry23"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\BG3ry23
        C:\Users\Admin\AppData\Local\Temp\BG3ry23
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:4720
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 204
              5⤵
              • Program crash
              PID:4232
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1508
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4364
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82950 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3612
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17418 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2548
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82958 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2152
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:220
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 204
                5⤵
                • Program crash
                PID:3652
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3488
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:3928
            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
              "C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe" elevate
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4976
              • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
                C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
                5⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3044
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  6⤵
                    PID:1656
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 204
                      7⤵
                      • Program crash
                      PID:1484
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                    6⤵
                      PID:2328
                      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                        7⤵
                        • Modifies Internet Explorer settings
                        PID:4668
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\system32\svchost.exe
                      6⤵
                        PID:3552
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 204
                          7⤵
                          • Program crash
                          PID:3764
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                        6⤵
                          PID:4712
                          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                            7⤵
                            • Modifies Internet Explorer settings
                            PID:4988
                        • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
                          "C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe" elevate
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:3164
                          • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
                            C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3160
                            • C:\Windows\SysWOW64\svchost.exe
                              C:\Windows\system32\svchost.exe
                              8⤵
                                PID:4300
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 204
                                  9⤵
                                  • Program crash
                                  PID:1004
                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                8⤵
                                  PID:1860
                                  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                    9⤵
                                    • Modifies Internet Explorer settings
                                    PID:3272
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 4720
                    1⤵
                      PID:4736
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 220 -ip 220
                      1⤵
                        PID:2168
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1656 -ip 1656
                        1⤵
                          PID:2992
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3552 -ip 3552
                          1⤵
                            PID:1724
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4300 -ip 4300
                            1⤵
                              PID:4372

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\BG3ry23

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\BG3ry23

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\BG3ry23

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe

                              Filesize

                              169KB

                              MD5

                              8d7fffdc5fa650429e06d7d7f9b9e639

                              SHA1

                              f072366e3522f1ae05704410af710f95daab57a9

                              SHA256

                              6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                              SHA512

                              91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                            • memory/1432-136-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1432-139-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1432-141-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1432-149-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3044-163-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3044-158-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3160-172-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB