a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe
Size

279KB
MD5

558b54b1f48afb0b8fccf5522ba308f0
SHA1

3eed4cc8dbb1d708ff60959caf066395043f7535
SHA256

a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272
SHA512

0397c430f13a6cbb952a82716f67b51ff88c1f04c30bd8c93e788ac61c052b4adb95f96c2973ba4d2978ac6fd0b38e30447e5ff6c9473a6d1692595065510ad7
SSDEEP

6144:3QGM8K+fBB4sGUEqPyh+9qP8kpYH6otS97HOqpKmjJUWRA:3HM8RZsUEu4OqLapSVjpXJUj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
4868	5d.exe
552	list32.exe
4200	5c.exe
1352	list32.exe
2080	list32.exe
2136	list32.exe
3940	list32.exe
2072	list32.exe
3868	list32.exe
3216	list32.exe
1960	list32.exe
4120	list32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4144-149-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	5d.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	5d.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File opened for modification	C:\Windows\SysWOW64\list32.exe	list32.exe
File created	C:\Windows\SysWOW64\list32.exe	list32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4200	5c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4868	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	82
PID 4144 wrote to memory of 4868	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	82
PID 4144 wrote to memory of 4868	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	82
PID 4868 wrote to memory of 552	4868	5d.exe	83
PID 4868 wrote to memory of 552	4868	5d.exe	83
PID 4868 wrote to memory of 552	4868	5d.exe	83
PID 4144 wrote to memory of 4200	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	84
PID 4144 wrote to memory of 4200	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	84
PID 4144 wrote to memory of 4200	4144	a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe	84
PID 552 wrote to memory of 1352	552	list32.exe	85
PID 552 wrote to memory of 1352	552	list32.exe	85
PID 552 wrote to memory of 1352	552	list32.exe	85
PID 1352 wrote to memory of 2080	1352	list32.exe	92
PID 1352 wrote to memory of 2080	1352	list32.exe	92
PID 1352 wrote to memory of 2080	1352	list32.exe	92
PID 2080 wrote to memory of 2136	2080	list32.exe	95
PID 2080 wrote to memory of 2136	2080	list32.exe	95
PID 2080 wrote to memory of 2136	2080	list32.exe	95
PID 2136 wrote to memory of 3940	2136	list32.exe	96
PID 2136 wrote to memory of 3940	2136	list32.exe	96
PID 2136 wrote to memory of 3940	2136	list32.exe	96
PID 3940 wrote to memory of 2072	3940	list32.exe	97
PID 3940 wrote to memory of 2072	3940	list32.exe	97
PID 3940 wrote to memory of 2072	3940	list32.exe	97
PID 2072 wrote to memory of 3868	2072	list32.exe	98
PID 2072 wrote to memory of 3868	2072	list32.exe	98
PID 2072 wrote to memory of 3868	2072	list32.exe	98
PID 3868 wrote to memory of 3216	3868	list32.exe	99
PID 3868 wrote to memory of 3216	3868	list32.exe	99
PID 3868 wrote to memory of 3216	3868	list32.exe	99
PID 3216 wrote to memory of 1960	3216	list32.exe	100
PID 3216 wrote to memory of 1960	3216	list32.exe	100
PID 3216 wrote to memory of 1960	3216	list32.exe	100
PID 1960 wrote to memory of 4120	1960	list32.exe	101
PID 1960 wrote to memory of 4120	1960	list32.exe	101
PID 1960 wrote to memory of 4120	1960	list32.exe	101

C:\Users\Admin\AppData\Local\Temp\a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe
"C:\Users\Admin\AppData\Local\Temp\a184852a604e7624cdc7b3fc93492ea5821af10d3d7dd84dc2c7fb06e1ea2272.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\5d.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5d.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\list32.exe
    C:\Windows\system32\list32.exe 1140 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5d.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\list32.exe
      C:\Windows\system32\list32.exe 1144 "C:\Windows\SysWOW64\list32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1120 "C:\Windows\SysWOW64\list32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1128 "C:\Windows\SysWOW64\list32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1124 "C:\Windows\SysWOW64\list32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1136 "C:\Windows\SysWOW64\list32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1148 "C:\Windows\SysWOW64\list32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1132 "C:\Windows\SysWOW64\list32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1152 "C:\Windows\SysWOW64\list32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\list32.exe
        
        C:\Windows\system32\list32.exe 1156 "C:\Windows\SysWOW64\list32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\5c.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\5c.exe

Filesize
48KB

MD5
13e431c94c7c13a4393a1a437ae1269b

SHA1
26998cdb35e95ac52cc503cd149454f15fd5b38d

SHA256
7e638e67e45859d47e2e69ce7eaf793ca3d6ffaf9c65e4adf5bbd20319cd62c1

SHA512
8e44c912036ccc2b36153d1c4ada689a070fc7b30ea15a1cbdfe6faa1a64e104012e3ea68bb6aecccee3b5b0f80c4309e2a239ec5a11cf9ad8b11ea51cd600e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5c.exe

Filesize
48KB

MD5
13e431c94c7c13a4393a1a437ae1269b

SHA1
26998cdb35e95ac52cc503cd149454f15fd5b38d

SHA256
7e638e67e45859d47e2e69ce7eaf793ca3d6ffaf9c65e4adf5bbd20319cd62c1

SHA512
8e44c912036ccc2b36153d1c4ada689a070fc7b30ea15a1cbdfe6faa1a64e104012e3ea68bb6aecccee3b5b0f80c4309e2a239ec5a11cf9ad8b11ea51cd600e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5d.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5d.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
C:\Windows\SysWOW64\list32.exe

Filesize
195KB

MD5
839ba55537c6b2847c45cadec483a53c

SHA1
a52dec60635bc677669703ebb36a46b514716dd7

SHA256
73815100c0867e6be84cd20f8d45b0622b9d4a0670fd5d79276fc82401d57536

SHA512
5ea6542f05aeb2483d61e1b1b06c075b5c8c661aa56ab4720ffd0f8e85b1d4c65c1b7475073436cfbb09bbab0f33f580c061765f96d624192e3f8b2356b20f1e

Download Submit
memory/552-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/552-136-0x0000000000000000-mapping.dmp

Download
memory/1352-150-0x0000000000000000-mapping.dmp

Download
memory/1352-152-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1352-156-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1960-176-0x0000000000000000-mapping.dmp

Download
memory/1960-178-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2072-165-0x0000000000000000-mapping.dmp

Download
memory/2072-172-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2072-167-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2080-153-0x0000000000000000-mapping.dmp

Download
memory/2080-155-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2080-160-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2136-164-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2136-159-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2136-157-0x0000000000000000-mapping.dmp

Download
memory/3216-175-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3216-173-0x0000000000000000-mapping.dmp

Download
memory/3868-169-0x0000000000000000-mapping.dmp

Download
memory/3868-171-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3940-168-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3940-161-0x0000000000000000-mapping.dmp

Download
memory/3940-163-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4120-181-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4120-179-0x0000000000000000-mapping.dmp

Download
memory/4144-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4144-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4200-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4200-141-0x0000000000000000-mapping.dmp

Download
memory/4200-148-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4200-147-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4868-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4868-133-0x0000000000000000-mapping.dmp

Download