Analysis
-
max time kernel
142s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
Resource
win10v2004-20220812-en
General
-
Target
801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
-
Size
375KB
-
MD5
a005c8ae3ef927fdafb0d22bec5abe80
-
SHA1
d6f1f2f7311535a077a55b1c334176e72ad63a56
-
SHA256
801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5
-
SHA512
8c13bff224458ed27e7426311a8451a7071fe187842d179d68c07c552a4c3824b1b344c549b1732a353f52f37e5c7a5510ea8573074a035d6ce4853c7bc64c42
-
SSDEEP
6144:I8U2qy6rRZb7jxGYV/AkMMyp+GWSSpYN1HLbRc2nPyPz7W5GnTA6D9YzZlVwd9un:+zy6rRxEWM2GgeN1HL1qPv0m7D9Ylg9o
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3308 111.exe 2652 345.exe 260 223.exe 5116 uwdx.exe -
resource yara_rule behavioral2/files/0x0006000000022e33-133.dat upx behavioral2/files/0x0006000000022e33-134.dat upx behavioral2/memory/3308-135-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/3308-136-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/3308-137-0x0000000000400000-0x0000000000445000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\uwdx.exe 223.exe File created C:\Windows\SysWOW64\ole2.vbs 223.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ime\system.exe 223.exe File opened for modification C:\Windows\ime\system.exe 223.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3308 111.exe 3308 111.exe 2652 345.exe 5116 uwdx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4960 wrote to memory of 3308 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 84 PID 4960 wrote to memory of 3308 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 84 PID 4960 wrote to memory of 3308 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 84 PID 4960 wrote to memory of 2652 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 85 PID 4960 wrote to memory of 2652 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 85 PID 4960 wrote to memory of 2652 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 85 PID 4960 wrote to memory of 260 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 87 PID 4960 wrote to memory of 260 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 87 PID 4960 wrote to memory of 260 4960 801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe 87 PID 260 wrote to memory of 5116 260 223.exe 88 PID 260 wrote to memory of 5116 260 223.exe 88 PID 260 wrote to memory of 5116 260 223.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe"C:\Users\Admin\AppData\Local\Temp\801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\SysWOW64\uwdx.exeC:\Windows\system32\uwdx.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
115KB
MD5aaef562d46db1b72d0ffb67df43b798d
SHA1678caba3a830d32bc6486d68792e4551f63be7c1
SHA256e0842c75b79178f519bfccd8fe34aae6db1eaaa4bb3834fb46fbf2935c0fba57
SHA512c283a2542844066204af4d454f50de9ace37303979ccbb8732255e0569b649b7ce6c1762ff8d576f883d1032afa94a88dd6f8f3aa318d89522361c91fe3f241c
-
Filesize
115KB
MD5aaef562d46db1b72d0ffb67df43b798d
SHA1678caba3a830d32bc6486d68792e4551f63be7c1
SHA256e0842c75b79178f519bfccd8fe34aae6db1eaaa4bb3834fb46fbf2935c0fba57
SHA512c283a2542844066204af4d454f50de9ace37303979ccbb8732255e0569b649b7ce6c1762ff8d576f883d1032afa94a88dd6f8f3aa318d89522361c91fe3f241c
-
Filesize
181KB
MD523e6e5ae5040cc3299a5a4ebbe5c8a95
SHA18a598c9d024139b9f13ba70ea76da662ef60a440
SHA2564156a7dc1fed247f003f38e82ac0baa0418fd7d340cc7d017e815f1a31b45898
SHA512f643fb4f85d4e405b97ec92491bb2046584357ebd3b7972768eea354cfca6079a532b94cbed2cae615a4aed6cb210a9f8e048933bd9465d1237bccdcdfbd16d3
-
Filesize
181KB
MD523e6e5ae5040cc3299a5a4ebbe5c8a95
SHA18a598c9d024139b9f13ba70ea76da662ef60a440
SHA2564156a7dc1fed247f003f38e82ac0baa0418fd7d340cc7d017e815f1a31b45898
SHA512f643fb4f85d4e405b97ec92491bb2046584357ebd3b7972768eea354cfca6079a532b94cbed2cae615a4aed6cb210a9f8e048933bd9465d1237bccdcdfbd16d3
-
Filesize
17KB
MD57649b65b59a873a8e7caa21e5273e84f
SHA10df91213de49c779722a426211585cbd103cc797
SHA256d052376eb1906edb2e38bd61dbd3033a07aab237da1203ebf3bd947bf87b6192
SHA51220689ce3bf9105df7c784186a31fcf206716e0530ca379f6befb481ee7c264f00d30d1fa224eab07daf42d3c4385e6958239925ebcfc462f45706ca375e885f8
-
Filesize
17KB
MD57649b65b59a873a8e7caa21e5273e84f
SHA10df91213de49c779722a426211585cbd103cc797
SHA256d052376eb1906edb2e38bd61dbd3033a07aab237da1203ebf3bd947bf87b6192
SHA51220689ce3bf9105df7c784186a31fcf206716e0530ca379f6befb481ee7c264f00d30d1fa224eab07daf42d3c4385e6958239925ebcfc462f45706ca375e885f8
-
Filesize
18KB
MD557b39e7e3b29ef594449a1949241a451
SHA1885aee7d5af106943dc4e35548a20d9282569063
SHA25632f54a06fe3b10f6716edfa1ca7b95d3627e09a3cf6d6691b5122077aa839c22
SHA5127f6d66ab21ab7e326ca35049052f314dbad3f048dd1f48258c552134d8f4a5b2e7e80fc662c98d8e24dd5ae501d36d10cc9bdf1eb166baa670b5b4b0a0df2165
-
Filesize
18KB
MD557b39e7e3b29ef594449a1949241a451
SHA1885aee7d5af106943dc4e35548a20d9282569063
SHA25632f54a06fe3b10f6716edfa1ca7b95d3627e09a3cf6d6691b5122077aa839c22
SHA5127f6d66ab21ab7e326ca35049052f314dbad3f048dd1f48258c552134d8f4a5b2e7e80fc662c98d8e24dd5ae501d36d10cc9bdf1eb166baa670b5b4b0a0df2165