Analysis

  • max time kernel
    62s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 22:53

General

  • Target

    226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

  • Size

    4.1MB

  • MD5

    5399ff9c8181e7600a5d20b9521f8ef6

  • SHA1

    2956df5c6bdab3e9c6bf2f17f6712943d2c4533a

  • SHA256

    226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54

  • SHA512

    d4ab3b67dcf604eda4b948643e6a3c10b56372e1a8ef74fd5e567c04a01de979ff505c2b2cb3b882b50ccb88e31b613a3207b10468e4016f2f78fa4f9737e88b

  • SSDEEP

    98304:Xl4CN9s4aaJ6JiTzYOtN1yMRH74VGjbDoLoq+SXfSX:Vh5JqiTzL1yMPq/XfSX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
    "C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
      C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4412
    • C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
      2001 5399FF9C8181E7600A5D20B9521F8EF6 84
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
        C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Users\Admin\AppData\Local\Temp\BaQBE05jlh.dat
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3792
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BAQBE0~1.EXE >> NUL
          4⤵
            PID:1384
        • C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
          C:\Users\Admin\AppData\Local\Temp\ZSixoSOX.sys
          3⤵
          • Executes dropped EXE
          • Sets service image path in registry
          • Checks computer location settings
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0Q6_AU~1.EXE >> NUL
            4⤵
              PID:4312
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLH6LW~1 >> NUL
            3⤵
              PID:1548

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                Filesize

                2KB

                MD5

                1a295f69dfd5c6f54042f8bc5b31a6af

                SHA1

                d2b64e2902114ce584f382cbd78b06354b6b14f7

                SHA256

                b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55

                SHA512

                3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA

                Filesize

                472B

                MD5

                83343201c58ce331a5de9b207a0542a7

                SHA1

                678743995d807544cebfbf82d534094f8c356231

                SHA256

                27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115

                SHA512

                ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                Filesize

                1KB

                MD5

                136889ac23008bfdfefb91c9e5d8a11d

                SHA1

                8343b8ef34dc565eda256e042b43064cb8017131

                SHA256

                35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5

                SHA512

                b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                Filesize

                488B

                MD5

                7da0f0010d9f684e8d08f2715bd5a000

                SHA1

                cb6e4b8ebac810080212358954384b34991eb7cc

                SHA256

                797a6c5f4c139b2c785391fb02ed47b1d104c9ec7b2106faca2af18ac0452d57

                SHA512

                006f3ed99813e211cc5d7c04a1b8585c5f2fe281b332c75fd0122c723278fe4aa6a9f11bb81824ec0e27732062889c32feabdaca0d2ede874b5dbeb7963b4d6f

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA

                Filesize

                476B

                MD5

                c2ed069efa024354f4cace5e63d914a3

                SHA1

                b6e61c792b1305f6d1f6af8ef63e592f062525c8

                SHA256

                1871913a75f5f9f5958356c770f7e56a246b1b6c836bf78f59a03c9de789a5e4

                SHA512

                f0e4b26e7dba8a7db620ff848fbeca96ad33e0352e5a82afe38a320f2033c1c95b85dc406c6980269f9aa30fc0793f859f5fedc0a11bd592f87e57d94286dd54

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                Filesize

                482B

                MD5

                10c64006105304b4ed0904acce3ba9c1

                SHA1

                56fa0b3213d539a8a779ef5f88daa6f60e87391b

                SHA256

                e59e528e19b5a60686b2ac6165ddbc45bd8cd90379ec1bbdfa03a480b9c4fabb

                SHA512

                bfd168c0239fdd831ee45998f5e6b8bd17adce1155948be5a98b5dffffa14a967e582471511f4236cd9142890bfefe6a132f871555e6da5ab0ec3b692fc1fde8

              • C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe

                Filesize

                102KB

                MD5

                4c839dc7014281acda2456d611ac73b7

                SHA1

                13073f7b2d0ce49143d021cec9d863c0597a6f3e

                SHA256

                188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e

                SHA512

                9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

              • C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe

                Filesize

                102KB

                MD5

                4c839dc7014281acda2456d611ac73b7

                SHA1

                13073f7b2d0ce49143d021cec9d863c0597a6f3e

                SHA256

                188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e

                SHA512

                9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

              • C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe

                Filesize

                77KB

                MD5

                cd3f1df2d4a06ac82cd816bc799dd65e

                SHA1

                a77c7aa9b4857d0ec504403528e2cfe625b6bc83

                SHA256

                ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce

                SHA512

                60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

              • C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe

                Filesize

                77KB

                MD5

                cd3f1df2d4a06ac82cd816bc799dd65e

                SHA1

                a77c7aa9b4857d0ec504403528e2cfe625b6bc83

                SHA256

                ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce

                SHA512

                60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

              • C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh

                Filesize

                201KB

                MD5

                f79f5ce86c81d6b0edb45a4a92c572af

                SHA1

                4f8fe0760f075c60831513637935049c697d9725

                SHA256

                d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317

                SHA512

                0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

              • C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh

                Filesize

                201KB

                MD5

                f79f5ce86c81d6b0edb45a4a92c572af

                SHA1

                4f8fe0760f075c60831513637935049c697d9725

                SHA256

                d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317

                SHA512

                0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

              • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • memory/1180-154-0x0000000003110000-0x0000000003163000-memory.dmp

                Filesize

                332KB

              • memory/1180-173-0x0000000003B40000-0x0000000003BA9000-memory.dmp

                Filesize

                420KB

              • memory/1180-146-0x0000000000400000-0x0000000000457000-memory.dmp

                Filesize

                348KB

              • memory/1180-145-0x0000000000530000-0x0000000000555000-memory.dmp

                Filesize

                148KB

              • memory/1180-176-0x0000000000400000-0x0000000000457000-memory.dmp

                Filesize

                348KB

              • memory/1180-160-0x0000000003B40000-0x0000000003BA9000-memory.dmp

                Filesize

                420KB

              • memory/1180-164-0x0000000003B40000-0x0000000003BA9000-memory.dmp

                Filesize

                420KB

              • memory/1180-172-0x0000000003110000-0x0000000003163000-memory.dmp

                Filesize

                332KB

              • memory/1180-155-0x0000000003110000-0x0000000003163000-memory.dmp

                Filesize

                332KB

              • memory/1180-166-0x0000000000530000-0x0000000000555000-memory.dmp

                Filesize

                148KB

              • memory/1180-147-0x0000000000530000-0x0000000000555000-memory.dmp

                Filesize

                148KB

              • memory/4412-136-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/4412-138-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/4412-139-0x0000000000D80000-0x0000000000D83000-memory.dmp

                Filesize

                12KB

              • memory/4412-158-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/4412-137-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/4412-157-0x0000000000D80000-0x0000000000D83000-memory.dmp

                Filesize

                12KB

              • memory/4972-171-0x00007FF627F60000-0x00007FF627F97000-memory.dmp

                Filesize

                220KB

              • memory/4996-156-0x0000000000CA0000-0x00000000014E8000-memory.dmp

                Filesize

                8.3MB

              • memory/4996-132-0x0000000000CA0000-0x00000000014E8000-memory.dmp

                Filesize

                8.3MB

              • memory/4996-159-0x0000000004360000-0x00000000043AD000-memory.dmp

                Filesize

                308KB

              • memory/4996-174-0x0000000000CA0000-0x00000000014E8000-memory.dmp

                Filesize

                8.3MB

              • memory/4996-140-0x0000000004360000-0x00000000043AD000-memory.dmp

                Filesize

                308KB

              • memory/4996-141-0x0000000004360000-0x00000000043AD000-memory.dmp

                Filesize

                308KB