75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42

Analysis

max time kernel
61s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2022, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
Size

2.3MB
MD5

313f09780a2ad45f5a7f7eb5cd3bc74a
SHA1

dc162675599bc6613b0cde34203f59ee9ebac1db
SHA256

75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42
SHA512

797ad380df4e9add6ef3043dca8d64cf09a4c7256139378dfb62dcffa6176ddbe4630c4c1ac8860fee9bff1d62c59dc20f53d0cbd96469ed4a4d478e18459004
SSDEEP

49152:ueDEAqF5rR6iU9yzhDs/ioe3ugjNAYo/xQvF1XWbtKGY6FammuGpNTgFKlcOShch:ueDEAqF5rR6iU9yzRs/ioe3ugjNAYGiV

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4908	Bat_To_Exe_Converter_(x32).exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e4b-133.dat	upx
behavioral2/files/0x000a000000022e4b-134.dat	upx
behavioral2/memory/4908-135-0x0000000000400000-0x0000000000742000-memory.dmp	upx
behavioral2/memory/4908-138-0x0000000000400000-0x0000000000742000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe

Loads dropped DLL 1 IoCs

pid	Process
4908	Bat_To_Exe_Converter_(x32).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4908	1680	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	82
PID 1680 wrote to memory of 4908	1680	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	82
PID 1680 wrote to memory of 4908	1680	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	82

C:\Users\Admin\AppData\Local\Temp\75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
"C:\Users\Admin\AppData\Local\Temp\75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7890.tmp\Scilexer.dll

Filesize
399KB

MD5
9092cc0fa27603c620df12b58c4c89df

SHA1
7b2e36fcf71aa8e20c3006a1ec001d50503a66e7

SHA256
6468cdf465b47c64ec621f548fff5e32ca24e21f50a331a17014f68006b12f0e

SHA512
a5a0d023cd06cc3b398b6929dfefb345d1ead3de54728b916e2c1c6a492a34ef610a0eedb55864b6f3d6f98fde2273223b4496a5a27b1b3ba87ba0baa6138419

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\settings

Filesize
478B

MD5
ef8ed3484973cfae8643649aa825eae6

SHA1
39af2f0896d0e410e5bc6bab71c580a70940f2c2

SHA256
b32a3c3c81749c260a2a1e73d4c2a63bd01f4850e8ff76f1ae435909e6ab7626

SHA512
3908ea80e96c684e808a87dca573bd045c0ea21c997915c22072e3c74cb09a87cf4caac414932aacbace1295e7bfefca81cf2d30bceb98204c65b55a2d27c51a

Download Submit
memory/4908-135-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/4908-138-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download