3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe
Size

1.9MB
MD5

c18eedf717d2241791d0d6d198108c3a
SHA1

11cca93f01133aac7ad9d0d8b0d11d600738681d
SHA256

3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7
SHA512

73e166ce56d03c4d80af33ea516690d7e6020c75a43cf742f9d8cf3e5ebae392b2b8924fc80de888fffc54bfef3a31c104ccca16510aadc21334ad2138ce2713
SSDEEP

24576:t7FUDowAyrTVE3U5FmMtjqHMQs3JIwaVzE5x7awFhJdNo69lOy7KTijlz:tBuZrEUWsb3ipE55DdN7POGjh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3880	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp
3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp

Loads dropped DLL 2 IoCs

pid	Process
3880	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp
3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	130.61.117.123
Destination IP	130.61.117.123
Destination IP	130.61.117.123

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3084 set thread context of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	1956	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3880	4724	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	84
PID 4724 wrote to memory of 3880	4724	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	84
PID 4724 wrote to memory of 3880	4724	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	84
PID 3880 wrote to memory of 1848	3880	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	85
PID 3880 wrote to memory of 1848	3880	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	85
PID 3880 wrote to memory of 1848	3880	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	85
PID 1848 wrote to memory of 3084	1848	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	86
PID 1848 wrote to memory of 3084	1848	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	86
PID 1848 wrote to memory of 3084	1848	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe	86
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91
PID 3084 wrote to memory of 1956	3084	3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp	91

C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe
"C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\is-N3N3H.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N3N3H.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp" /SL5="$1D01DC,1123903,832512,C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe
    "C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\is-3BRFF.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3BRFF.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp" /SL5="$1E01DC,1123903,832512,C:\Users\Admin\AppData\Local\Temp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe 92
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1196
        6⤵
        Program crash
        
        PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1956 -ip 1956
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3BRFF.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp

Filesize
3.0MB

MD5
6b4b3a771b70a471d8b0cd318b9298e9

SHA1
47eb8bf55d56ee221e56c00b8fdfc1a6ddc95f6f

SHA256
c23aa1780d81d16cfa9caaf60cf0b12a2b0772f3c9ced5c22b415eb62ee232fa

SHA512
f8c327c3f0b9c6351b7e22627053f493f728c96a15f6d50d9597913e21c03a4a937312dca6b06a24b909deb92e3f9986997628db84b825d6c940deeab8f58d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-964DC.tmp\helper.dll

Filesize
419KB

MD5
7acd12c152179c868c825aada166e40a

SHA1
6e3f2392b9296c79698434dadf6cfd5395aa8ba7

SHA256
34f43b1fd5bf852de7071540eb0768fce1d7e45a90d3ac18d2ebe99aacb1a940

SHA512
03b592c1f4f1d5175680e9ed4ddc8cf5bd53a56fad33d887425a95c9fb3670c7d075df59903e7d1ca5686a60a7acb3b7237c8fc815105b853e62bdca367dec2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3N3H.tmp\3e7f79a7f07a8a58de86ad381c5a1a535c21f956138639a08db44324407b67d7.tmp

Filesize
3.0MB

MD5
6b4b3a771b70a471d8b0cd318b9298e9

SHA1
47eb8bf55d56ee221e56c00b8fdfc1a6ddc95f6f

SHA256
c23aa1780d81d16cfa9caaf60cf0b12a2b0772f3c9ced5c22b415eb62ee232fa

SHA512
f8c327c3f0b9c6351b7e22627053f493f728c96a15f6d50d9597913e21c03a4a937312dca6b06a24b909deb92e3f9986997628db84b825d6c940deeab8f58d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VQTAL.tmp\helper.dll

Filesize
419KB

MD5
7acd12c152179c868c825aada166e40a

SHA1
6e3f2392b9296c79698434dadf6cfd5395aa8ba7

SHA256
34f43b1fd5bf852de7071540eb0768fce1d7e45a90d3ac18d2ebe99aacb1a940

SHA512
03b592c1f4f1d5175680e9ed4ddc8cf5bd53a56fad33d887425a95c9fb3670c7d075df59903e7d1ca5686a60a7acb3b7237c8fc815105b853e62bdca367dec2c

Download Submit
memory/1848-138-0x0000000000000000-mapping.dmp

Download
memory/1848-145-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1848-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1848-153-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1956-148-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1956-147-0x0000000000000000-mapping.dmp

Download
memory/1956-150-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1956-151-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1956-152-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/3084-142-0x0000000000000000-mapping.dmp

Download
memory/3084-146-0x0000000003480000-0x00000000034BB000-memory.dmp

Filesize
236KB

Download
memory/3084-149-0x0000000003480000-0x00000000034BB000-memory.dmp

Filesize
236KB

Download
memory/3880-135-0x0000000000000000-mapping.dmp

Download
memory/4724-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4724-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4724-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download