945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033

Analysis

max time kernel
157s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe
Size

484KB
MD5

483cc654d0d5f6e7746664d004534c5b
SHA1

b674c265665d7038f936f32c22e50362eaa057aa
SHA256

945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033
SHA512

ed553678b17be40f13d1b3a70108ae53d2c703f12082b9427bd62c22c788f114238fd5088cd8199eccf70d816a712d9d26b5e37ffa159b4ec299a7f7035978a5
SSDEEP

12288:en1bAg3OGAEcISFxOtu6CeMegkLCz9dT8G:e1feGAEcIM+CeXgky78G

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4112	ic7.exe
4820	1EuroP.exe
4860	2E4U - Bucks.exe
3320	3IC.exe
1748	4IR.exe
840	5tbp.exe
2172	b2l0zj6.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e67-146.dat	upx
behavioral2/files/0x0006000000022e67-145.dat	upx
behavioral2/memory/1748-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x000200000001e726-173.dat	upx
behavioral2/memory/2172-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1748-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1EuroP.exe

Loads dropped DLL 2 IoCs

pid	Process
3472	rundll32.exe
2788	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sfawenesanuze = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\ipudond.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	3IC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1952	4860	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3320	3IC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
840	5tbp.exe
1748	4IR.exe
3472	rundll32.exe
1748	4IR.exe
1748	4IR.exe
2788	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4112	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	80
PID 4888 wrote to memory of 4112	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	80
PID 4888 wrote to memory of 4112	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	80
PID 4888 wrote to memory of 4820	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	81
PID 4888 wrote to memory of 4820	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	81
PID 4888 wrote to memory of 4820	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	81
PID 4888 wrote to memory of 4860	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	82
PID 4888 wrote to memory of 4860	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	82
PID 4888 wrote to memory of 4860	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	82
PID 4888 wrote to memory of 3320	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	83
PID 4888 wrote to memory of 3320	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	83
PID 4888 wrote to memory of 3320	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	83
PID 4888 wrote to memory of 1748	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	84
PID 4888 wrote to memory of 1748	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	84
PID 4888 wrote to memory of 1748	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	84
PID 4888 wrote to memory of 840	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	85
PID 4888 wrote to memory of 840	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	85
PID 4888 wrote to memory of 840	4888	945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe	85
PID 840 wrote to memory of 3472	840	5tbp.exe	86
PID 840 wrote to memory of 3472	840	5tbp.exe	86
PID 840 wrote to memory of 3472	840	5tbp.exe	86
PID 3472 wrote to memory of 2788	3472	rundll32.exe	91
PID 3472 wrote to memory of 2788	3472	rundll32.exe	91
PID 3472 wrote to memory of 2788	3472	rundll32.exe	91
PID 4820 wrote to memory of 3044	4820	1EuroP.exe	93
PID 4820 wrote to memory of 3044	4820	1EuroP.exe	93
PID 4820 wrote to memory of 3044	4820	1EuroP.exe	93

C:\Users\Admin\AppData\Local\Temp\945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe
"C:\Users\Admin\AppData\Local\Temp\945bc608c1ccde198358cead7879a250c956e287c131879eec788bcfb3771033.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\ic7.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\ic7.exe"
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ttj..bat" > nul 2> nul
    3⤵
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\2E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\2E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 276
    3⤵
    - Program crash
    PID:1952
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\3IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\3IC.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\4IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\4IR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1748
- - C:\b2l0zj6.exe
    \b2l0zj6.exe
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 \mdinstall.inf
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c \80e81bi6.bat
    3⤵
    PID:3668
- C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\5tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\5tbp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\ipudond.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\ipudond.dll",iep
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ttj..bat

Filesize
182B

MD5
9ca7cfd44fa236fb6856dbaa1344c37b

SHA1
5d403861081c4b0fbf302827ea275d769643fffd

SHA256
751b6ff5d6c99f32208168a465ccd5485769446b6b9a7f847a3cbcf3d7e8c55c

SHA512
7562dc64c50a636d4dad75beb983257d422379cbf97128bd4d89422dcc7142e26388c6a96649a75498b25a7bcf321aaae2c073efbcf03adb3dcdda7a36f4e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\1EuroP.exe

Filesize
123KB

MD5
8025e18d32a78e600d7b31fc999d1981

SHA1
5d02214769c3e2cb33f78d34d47c3b8a95ffeb67

SHA256
794bbfc162a490aaf9fe1769ba724ea73ef37bc71c68bbe2f1d9b8fc20973f05

SHA512
e3a08d567ee2a6441d45f8c2509f513d29326a1cb450f2f4074993c2620cf9740d6ef25802b30c44342d3a1773b86bf1ccb29de8c8ec53ded5bb1bdd9e62ecf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\1EuroP.exe

Filesize
123KB

MD5
8025e18d32a78e600d7b31fc999d1981

SHA1
5d02214769c3e2cb33f78d34d47c3b8a95ffeb67

SHA256
794bbfc162a490aaf9fe1769ba724ea73ef37bc71c68bbe2f1d9b8fc20973f05

SHA512
e3a08d567ee2a6441d45f8c2509f513d29326a1cb450f2f4074993c2620cf9740d6ef25802b30c44342d3a1773b86bf1ccb29de8c8ec53ded5bb1bdd9e62ecf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\2E4U - Bucks.exe

Filesize
101KB

MD5
63be94a261ea1ec2af6ebf71f17fed7d

SHA1
6efa514008f42823d9a294a92f82e608f13e6bdc

SHA256
de38f4b0c483c7b47b2e4dae620bf654e86803513d5ccfa6538eea28a5372c58

SHA512
217190bcb0004fe3231b61e1eb853111f4cdde53781101111ceea7cfc306baa7f6dabaec12c7a5019ed1cf30d220bad328f886adc02481da7737571e5f3a936a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\2E4U - Bucks.exe

Filesize
101KB

MD5
63be94a261ea1ec2af6ebf71f17fed7d

SHA1
6efa514008f42823d9a294a92f82e608f13e6bdc

SHA256
de38f4b0c483c7b47b2e4dae620bf654e86803513d5ccfa6538eea28a5372c58

SHA512
217190bcb0004fe3231b61e1eb853111f4cdde53781101111ceea7cfc306baa7f6dabaec12c7a5019ed1cf30d220bad328f886adc02481da7737571e5f3a936a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\3IC.exe

Filesize
200KB

MD5
1ea2371df3f4804d820e70863931e3f7

SHA1
0878e26b8d605dbf2968eadb5a2bc7d24a881abe

SHA256
6f2f3da3e526b8f8d7ee64928b7ec4101aa32364686c9620395bdb4bd9265e20

SHA512
79e634926ea0ed0d1808fbf55dbd78925191a4d36afb08ee02be1b753523f642a9d0db752410bf31558591b652753d4772899c339cdb07a944e9ab43282e8ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\3IC.exe

Filesize
200KB

MD5
1ea2371df3f4804d820e70863931e3f7

SHA1
0878e26b8d605dbf2968eadb5a2bc7d24a881abe

SHA256
6f2f3da3e526b8f8d7ee64928b7ec4101aa32364686c9620395bdb4bd9265e20

SHA512
79e634926ea0ed0d1808fbf55dbd78925191a4d36afb08ee02be1b753523f642a9d0db752410bf31558591b652753d4772899c339cdb07a944e9ab43282e8ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\4IR.exe

Filesize
54KB

MD5
25dc18797540da3ddd151c9d5fdd80ef

SHA1
0420b9ab191e4dc2714cf0de26665c5c5af5112a

SHA256
fbfd0962e0a6c684f26ff25dcf75a14a0e262c99ed747cde6e782d3656ce26d2

SHA512
16c7fc990199b59c57894ec316609698a40d2091addc811bde7de4415bc39342ca4e2f95dc7d6715da5c83b0b351748e0772eee1f783e3c8435d30bc11fc7dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\4IR.exe

Filesize
54KB

MD5
25dc18797540da3ddd151c9d5fdd80ef

SHA1
0420b9ab191e4dc2714cf0de26665c5c5af5112a

SHA256
fbfd0962e0a6c684f26ff25dcf75a14a0e262c99ed747cde6e782d3656ce26d2

SHA512
16c7fc990199b59c57894ec316609698a40d2091addc811bde7de4415bc39342ca4e2f95dc7d6715da5c83b0b351748e0772eee1f783e3c8435d30bc11fc7dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\5tbp.exe

Filesize
116KB

MD5
2db4e91cd4f15148edfa19a7ae413dc1

SHA1
d31dba56500bb734bb986255ff577c8eeb7562af

SHA256
7def71997a8abdc17535861603014e1d43dfdb54ab2541aa6c51e9587e1b2ddd

SHA512
d7b20e25d004a4412eec77eb456fb54ad8b8c84652dd69cd9da1d6993b12896947f075e933ac045dd7c10ab09c1c29bb35d97881378646bbd270c1f47e6441a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\5tbp.exe

Filesize
116KB

MD5
2db4e91cd4f15148edfa19a7ae413dc1

SHA1
d31dba56500bb734bb986255ff577c8eeb7562af

SHA256
7def71997a8abdc17535861603014e1d43dfdb54ab2541aa6c51e9587e1b2ddd

SHA512
d7b20e25d004a4412eec77eb456fb54ad8b8c84652dd69cd9da1d6993b12896947f075e933ac045dd7c10ab09c1c29bb35d97881378646bbd270c1f47e6441a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\ic7.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21F1.tmp\ic7.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\ipudond.dll

Filesize
116KB

MD5
62739b21c5326c7f529cc81820146e89

SHA1
c30454bc0084ec83b03fe6a05e117ace03d8e773

SHA256
00d58e475aa466d04973b4e30edf12205dcaf0719269ef98774050d3ecd8bffd

SHA512
5f5cb3dd0ce38be5d86d34c661b95b6677b7277a452abec749d526623a50f6f4724d93e5467a76844dc9bfc7fa872742595f2512402f794988c26e00c4f32231

Download Submit
C:\Users\Admin\AppData\Local\ipudond.dll

Filesize
116KB

MD5
62739b21c5326c7f529cc81820146e89

SHA1
c30454bc0084ec83b03fe6a05e117ace03d8e773

SHA256
00d58e475aa466d04973b4e30edf12205dcaf0719269ef98774050d3ecd8bffd

SHA512
5f5cb3dd0ce38be5d86d34c661b95b6677b7277a452abec749d526623a50f6f4724d93e5467a76844dc9bfc7fa872742595f2512402f794988c26e00c4f32231

Download Submit
C:\Users\Admin\AppData\Local\ipudond.dll

Filesize
116KB

MD5
62739b21c5326c7f529cc81820146e89

SHA1
c30454bc0084ec83b03fe6a05e117ace03d8e773

SHA256
00d58e475aa466d04973b4e30edf12205dcaf0719269ef98774050d3ecd8bffd

SHA512
5f5cb3dd0ce38be5d86d34c661b95b6677b7277a452abec749d526623a50f6f4724d93e5467a76844dc9bfc7fa872742595f2512402f794988c26e00c4f32231

Download Submit
C:\b2l0zj6.exe

Filesize
54KB

MD5
25dc18797540da3ddd151c9d5fdd80ef

SHA1
0420b9ab191e4dc2714cf0de26665c5c5af5112a

SHA256
fbfd0962e0a6c684f26ff25dcf75a14a0e262c99ed747cde6e782d3656ce26d2

SHA512
16c7fc990199b59c57894ec316609698a40d2091addc811bde7de4415bc39342ca4e2f95dc7d6715da5c83b0b351748e0772eee1f783e3c8435d30bc11fc7dd7

Download Submit
memory/840-150-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/840-157-0x0000000000561000-0x000000000056F000-memory.dmp

Filesize
56KB

Download
memory/1748-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-169-0x0000000002611000-0x000000000261F000-memory.dmp

Filesize
56KB

Download
memory/3320-162-0x0000000001DB0000-0x0000000001DF8000-memory.dmp

Filesize
288KB

Download
memory/3320-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3320-164-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3472-163-0x0000000002291000-0x000000000229F000-memory.dmp

Filesize
56KB

Download
memory/3472-156-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4820-165-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4820-171-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4820-160-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4820-161-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download