5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee

Analysis

max time kernel
130s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
Size

1.9MB
MD5

b5070ad26514463c5e43ab2c3f2eb5bf
SHA1

b65ceaf7747330e21998f5fd85ede8fe15c40508
SHA256

5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee
SHA512

15df8cf67647b6717a5fc478465a32f97b46dbcbc6380a3e441eca121c7f53a7b4a470a16da724ce82fec20cd736c8235e668a224dc3a0d2ce073dedb2136dc1
SSDEEP

49152:wWvCZZbTChxKCnFnQXBbrtgb/iQvu0UHOF:wWvyZ6hxvWbrtUTrUHOF

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4704	@AED0B2.tmp.exe
2196	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
4540	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
4132	WdExt.exe
224	launch.exe
3388	wtmps.exe
4780	mscaps.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	@AED0B2.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	launch.exe

Loads dropped DLL 2 IoCs

pid	Process
4704	@AED0B2.tmp.exe
4132	WdExt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4704	@AED0B2.tmp.exe
4704	@AED0B2.tmp.exe
4132	WdExt.exe
4132	WdExt.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe
224	launch.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3604	3016	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	82
PID 3016 wrote to memory of 3604	3016	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	82
PID 3016 wrote to memory of 3604	3016	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	82
PID 3016 wrote to memory of 3604	3016	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	82
PID 3016 wrote to memory of 3604	3016	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	82
PID 3604 wrote to memory of 4704	3604	explorer.exe	85
PID 3604 wrote to memory of 4704	3604	explorer.exe	85
PID 3604 wrote to memory of 4704	3604	explorer.exe	85
PID 3604 wrote to memory of 2196	3604	explorer.exe	86
PID 3604 wrote to memory of 2196	3604	explorer.exe	86
PID 3604 wrote to memory of 2196	3604	explorer.exe	86
PID 2196 wrote to memory of 4540	2196	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	87
PID 2196 wrote to memory of 4540	2196	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	87
PID 2196 wrote to memory of 4540	2196	5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe	87
PID 4704 wrote to memory of 1708	4704	@AED0B2.tmp.exe	88
PID 4704 wrote to memory of 1708	4704	@AED0B2.tmp.exe	88
PID 4704 wrote to memory of 1708	4704	@AED0B2.tmp.exe	88
PID 4704 wrote to memory of 4316	4704	@AED0B2.tmp.exe	89
PID 4704 wrote to memory of 4316	4704	@AED0B2.tmp.exe	89
PID 4704 wrote to memory of 4316	4704	@AED0B2.tmp.exe	89
PID 1708 wrote to memory of 4132	1708	cmd.exe	92
PID 1708 wrote to memory of 4132	1708	cmd.exe	92
PID 1708 wrote to memory of 4132	1708	cmd.exe	92
PID 4132 wrote to memory of 5036	4132	WdExt.exe	93
PID 4132 wrote to memory of 5036	4132	WdExt.exe	93
PID 4132 wrote to memory of 5036	4132	WdExt.exe	93
PID 5036 wrote to memory of 224	5036	cmd.exe	95
PID 5036 wrote to memory of 224	5036	cmd.exe	95
PID 5036 wrote to memory of 224	5036	cmd.exe	95
PID 224 wrote to memory of 3748	224	launch.exe	96
PID 224 wrote to memory of 3748	224	launch.exe	96
PID 224 wrote to memory of 3748	224	launch.exe	96
PID 3748 wrote to memory of 3388	3748	cmd.exe	98
PID 3748 wrote to memory of 3388	3748	cmd.exe	98
PID 3748 wrote to memory of 3388	3748	cmd.exe	98
PID 3388 wrote to memory of 4780	3388	wtmps.exe	99
PID 3388 wrote to memory of 4780	3388	wtmps.exe	99
PID 3388 wrote to memory of 4780	3388	wtmps.exe	99

C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
"C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\@AED0B2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AED0B2.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 4132
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:4316
- - C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
    "C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe
      C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe -deleter
      4⤵
      Executes dropped EXE
      PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe

Filesize
118KB

MD5
49b3d2077199c44c1f3bbb16b4094ae6

SHA1
469ccf79a49d3e8d2609f7d54e1ae3dd73e10ee2

SHA256
9f592ba27a79b32d11fafa59facbbebdc9902410e37e2eafa22e677fc33f47e6

SHA512
5225695e14bccff106d903a5fee6c33f27460c2159e822eb246d244e43890b2a22c8463f9334e1c1158b97ccf5410c5c7f7a7c31a544e9f28e3eee5e7a0861f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe

Filesize
118KB

MD5
49b3d2077199c44c1f3bbb16b4094ae6

SHA1
469ccf79a49d3e8d2609f7d54e1ae3dd73e10ee2

SHA256
9f592ba27a79b32d11fafa59facbbebdc9902410e37e2eafa22e677fc33f47e6

SHA512
5225695e14bccff106d903a5fee6c33f27460c2159e822eb246d244e43890b2a22c8463f9334e1c1158b97ccf5410c5c7f7a7c31a544e9f28e3eee5e7a0861f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5400db024123df03f5289f23101f33a222d2a68b6c0ee367867aaff6d1a722ee.exe

Filesize
118KB

MD5
49b3d2077199c44c1f3bbb16b4094ae6

SHA1
469ccf79a49d3e8d2609f7d54e1ae3dd73e10ee2

SHA256
9f592ba27a79b32d11fafa59facbbebdc9902410e37e2eafa22e677fc33f47e6

SHA512
5225695e14bccff106d903a5fee6c33f27460c2159e822eb246d244e43890b2a22c8463f9334e1c1158b97ccf5410c5c7f7a7c31a544e9f28e3eee5e7a0861f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AED0B2.tmp.exe

Filesize
1.7MB

MD5
a7e9390bb3c01fe24cb7b7eef1f1e9d3

SHA1
9bc69f62e3bdcf514ec66b9334f290f66738376d

SHA256
72939d459cc90c49e1d5fbe014fa75490ccc6bd0af6f55dfcbf4eabda6950c01

SHA512
536ec2667bac5c1a876cd3185be455a8626327ef53467908b3bea8e0941789a187219c2c6a58e385635bc62f41f0bd30cb8809cb7a0cf0aa26daf304746e0d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AED0B2.tmp.exe

Filesize
1.7MB

MD5
a7e9390bb3c01fe24cb7b7eef1f1e9d3

SHA1
9bc69f62e3bdcf514ec66b9334f290f66738376d

SHA256
72939d459cc90c49e1d5fbe014fa75490ccc6bd0af6f55dfcbf4eabda6950c01

SHA512
536ec2667bac5c1a876cd3185be455a8626327ef53467908b3bea8e0941789a187219c2c6a58e385635bc62f41f0bd30cb8809cb7a0cf0aa26daf304746e0d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
88c5578f84904e807977dd8425b463cd

SHA1
ff7773943a7ce6a84c008f4acb44a58a8ae8ba3e

SHA256
18fe52b25061bac3a387d23d46bdae8c9d1ab86e5def1aaa635bc4de4d5164cf

SHA512
6745bf32234c8a0e197d7a6f9ac8636697e5ffb6e3d705d5bcb1bf3b516280f198448a7fbdfaba56e2a6cabac26c91a9a59e1069b4f55dd0bb045ad071b07e66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
88c5578f84904e807977dd8425b463cd

SHA1
ff7773943a7ce6a84c008f4acb44a58a8ae8ba3e

SHA256
18fe52b25061bac3a387d23d46bdae8c9d1ab86e5def1aaa635bc4de4d5164cf

SHA512
6745bf32234c8a0e197d7a6f9ac8636697e5ffb6e3d705d5bcb1bf3b516280f198448a7fbdfaba56e2a6cabac26c91a9a59e1069b4f55dd0bb045ad071b07e66

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
102B

MD5
1d68f046cd6a9197038fb2445d2bea05

SHA1
d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7

SHA256
9cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9

SHA512
2720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
a8e595f864eac9ae920858106b7795d4

SHA1
e98827956532812099909b345b5cc067bd0c03f4

SHA256
8f5671fb1562a91801576675f6d0d8bea534f3cc4a5f61db99441a59114de30c

SHA512
548abdb0af0ab13bb2191509150f3064c08f879e98927b0c4d714814afaa00582d94c23503d7e75fb21871b80909f5f10c129dc58b4d4963eb864a201982db6e

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
0243eecc171f7ddc677d506b033a2dbf

SHA1
06bdfa01fa9e504f91f2e3cc802e052e56c733a4

SHA256
48c076a295d15a8391d7f553af769e204c33090ab5997f3d4b45340edd06f361

SHA512
3052eb2f923d1de0796ce3b794c5ca752862f556e12eb9830012cd389cff4cd54f0815eecfb68b6fb60395cda6881469a395685b0353adcfce870c7d8dfb4cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
memory/3604-133-0x00000000002E0000-0x0000000000713000-memory.dmp

Filesize
4.2MB

Download
memory/4704-137-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download