03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe
Size

104KB
MD5

6b25f49ade3a9a77714ca67b987a87a0
SHA1

1291904f9193e55361276fd53b16773ecd695e38
SHA256

03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072
SHA512

2a0d297d38fe8fe1633a696ce6a00192c3245de03665f8d89d54c6dd0e7ed0abecc12ec163f37f9871f69ffc6be0599d1df80ad23ba02037a5b261b3347adbfa
SSDEEP

3072:uetDOSpgJremwXSAvNdH1w4IqeolDHXOMxiU:2Spgxem/4NbTIq9D3Vxi

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4984	trys.exe
3788	trys.exe
1152	trys.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3044-134-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4612-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3044-139-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4612-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4612-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4612-143-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0002000000022df6-148.dat	upx
behavioral2/files/0x0002000000022df6-149.dat	upx
behavioral2/memory/4984-152-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4612-153-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0002000000022df6-156.dat	upx
behavioral2/memory/1152-159-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0002000000022df6-161.dat	upx
behavioral2/memory/1152-165-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4984-166-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4612-169-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1152-168-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1152-170-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3788-171-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1152-172-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3788-173-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Users\\Admin\\AppData\\Roaming\\trys.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 4984 set thread context of 3788	4984	trys.exe	98
PID 4984 set thread context of 1152	4984	trys.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe
Token: SeDebugPrivilege	3788	trys.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe
4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe
4984	trys.exe
3788	trys.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 3044 wrote to memory of 4612	3044	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	88
PID 4612 wrote to memory of 3168	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	89
PID 4612 wrote to memory of 3168	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	89
PID 4612 wrote to memory of 3168	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	89
PID 3168 wrote to memory of 912	3168	cmd.exe	93
PID 3168 wrote to memory of 912	3168	cmd.exe	93
PID 3168 wrote to memory of 912	3168	cmd.exe	93
PID 4612 wrote to memory of 4984	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	94
PID 4612 wrote to memory of 4984	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	94
PID 4612 wrote to memory of 4984	4612	03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe	94
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 3788	4984	trys.exe	98
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99
PID 4984 wrote to memory of 1152	4984	trys.exe	99

C:\Users\Admin\AppData\Local\Temp\03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe
"C:\Users\Admin\AppData\Local\Temp\03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe
  "C:\Users\Admin\AppData\Local\Temp\03ac976888d1dd9ef6beebcf38a3502150a46ee3ec6e19c8c0314b15e7b94072.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQMKY.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\trys.exe" /f
      4⤵
      Adds Run key to start application
      PID:912
- - C:\Users\Admin\AppData\Roaming\trys.exe
    "C:\Users\Admin\AppData\Roaming\trys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Users\Admin\AppData\Roaming\trys.exe
      "C:\Users\Admin\AppData\Roaming\trys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3788
  - - C:\Users\Admin\AppData\Roaming\trys.exe
      "C:\Users\Admin\AppData\Roaming\trys.exe"
      4⤵
      Executes dropped EXE
      PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CQMKY.bat

Filesize
135B

MD5
6dbb2090ff90500da05a027765cde190

SHA1
425b833d9d1df8d6df6e5a59f738058808271949

SHA256
71ca0761f7187f2164f62b23d5d9d2dcfd28d9ab9a8dfc14796c3ac06db03881

SHA512
7e4679e04bd5a69c026949a0d2760a630bc02249a04f3bd224dee41d1bf10f0a29e45812a67c583327a63e5401f0ff2aa9a3f4df8233b150943052c97e861ab3

Download Submit
C:\Users\Admin\AppData\Roaming\trys.exe

Filesize
104KB

MD5
75d4df1223bdf9b900c79a6c8a365101

SHA1
84eeaa5771f287bb71cb6c398cc192120a9c81db

SHA256
17ba753873e1b53a1662576b69e9a772b351be43bac372e8fd27e82aec30da27

SHA512
541c9bc022a97f6a617909bd26181b105d4a72499337c0d0bd9729800e11aebd2f43e4430cbecb2d1a1da27d87e1cb3d14d67a277124169b14d0e52797f8c918

Download Submit
C:\Users\Admin\AppData\Roaming\trys.exe

Filesize
104KB

MD5
75d4df1223bdf9b900c79a6c8a365101

SHA1
84eeaa5771f287bb71cb6c398cc192120a9c81db

SHA256
17ba753873e1b53a1662576b69e9a772b351be43bac372e8fd27e82aec30da27

SHA512
541c9bc022a97f6a617909bd26181b105d4a72499337c0d0bd9729800e11aebd2f43e4430cbecb2d1a1da27d87e1cb3d14d67a277124169b14d0e52797f8c918

Download Submit
C:\Users\Admin\AppData\Roaming\trys.exe

Filesize
104KB

MD5
75d4df1223bdf9b900c79a6c8a365101

SHA1
84eeaa5771f287bb71cb6c398cc192120a9c81db

SHA256
17ba753873e1b53a1662576b69e9a772b351be43bac372e8fd27e82aec30da27

SHA512
541c9bc022a97f6a617909bd26181b105d4a72499337c0d0bd9729800e11aebd2f43e4430cbecb2d1a1da27d87e1cb3d14d67a277124169b14d0e52797f8c918

Download Submit
C:\Users\Admin\AppData\Roaming\trys.exe

Filesize
104KB

MD5
75d4df1223bdf9b900c79a6c8a365101

SHA1
84eeaa5771f287bb71cb6c398cc192120a9c81db

SHA256
17ba753873e1b53a1662576b69e9a772b351be43bac372e8fd27e82aec30da27

SHA512
541c9bc022a97f6a617909bd26181b105d4a72499337c0d0bd9729800e11aebd2f43e4430cbecb2d1a1da27d87e1cb3d14d67a277124169b14d0e52797f8c918

Download Submit
memory/1152-168-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-172-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3044-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3044-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3788-173-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3788-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-153-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-169-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-143-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4984-152-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4984-166-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download