19275ff1a5f839b9e90c479b95b89943cef2bcf494029bc14483a2487f40f9a2

Resubmissions

05-11-2022 19:59

221105-yqefyabgdl 10

05-11-2022 19:56

221105-yn7dyabgcp 10

05-11-2022 19:39

221105-ydcftabfgr 10

05-11-2022 19:22

221105-x3ef2ahce6 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2022 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_DriverDoc_2022.exe
Size

6.0MB
MD5

c65a354ac28f2f45c7ca8a38e4f778d6
SHA1

42d84f6be5cfa1503dc7bd8275073872d71a4fc0
SHA256

396cb9e17c57f09c4afab97f91e72011e3f115b15e764c39d26473d92fe2c45e
SHA512

7acba2651fb1378a97c47ce6723808235ddd74d2cb736f5fb6f28a241f3b33188e9a511c6be2eb3ca8e7cad68c05a76a0c853edc5a417a16aacd5c0388950017
SSDEEP

98304:KSi1jH0UJukUYMwioEgGU9KM+ZFNIO05p0oO2gz8+fyTx:MUvkUMiij9KM+7Npc0R4+KTx

Score

9^/10

Malware Config

Signatures

Affect hook table 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	win_hook
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	win_hook

Bypass DEP 7 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4888-132-0x0000000000400000-0x00000000004E4000-memory.dmp	disable_dep
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	disable_dep
behavioral4/memory/4888-136-0x0000000000400000-0x00000000004E4000-memory.dmp	disable_dep
behavioral4/memory/2040-138-0x0000000000400000-0x00000000004E4000-memory.dmp	disable_dep
behavioral4/memory/4888-140-0x0000000000400000-0x00000000004E4000-memory.dmp	disable_dep
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	disable_dep
behavioral4/memory/2040-143-0x0000000000400000-0x00000000004E4000-memory.dmp	disable_dep

Checks if being debugged 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	anti_dbg
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	anti_dbg

DebuggerException__SetConsoleCtrl 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	DebuggerException__SetConsoleCtrl
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	DebuggerException__SetConsoleCtrl

SEH_Init 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	SEH_Init
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	SEH_Init

SEH_Save 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp	SEH_Save
C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp	SEH_Save

Executes dropped EXE 2 IoCs

Processes:

Setup_DriverDoc_2022.tmpSetup_DriverDoc_2022.tmp

pid process

2332 Setup_DriverDoc_2022.tmp
3904 Setup_DriverDoc_2022.tmp

pid	process
2332	Setup_DriverDoc_2022.tmp
3904	Setup_DriverDoc_2022.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup_DriverDoc_2022.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Setup_DriverDoc_2022.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup_DriverDoc_2022.exeSetup_DriverDoc_2022.tmpSetup_DriverDoc_2022.exe

description	pid	process	target process
PID 4888 wrote to memory of 2332	4888	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp
PID 4888 wrote to memory of 2332	4888	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp
PID 4888 wrote to memory of 2332	4888	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp
PID 2332 wrote to memory of 2040	2332	Setup_DriverDoc_2022.tmp	Setup_DriverDoc_2022.exe
PID 2332 wrote to memory of 2040	2332	Setup_DriverDoc_2022.tmp	Setup_DriverDoc_2022.exe
PID 2332 wrote to memory of 2040	2332	Setup_DriverDoc_2022.tmp	Setup_DriverDoc_2022.exe
PID 2040 wrote to memory of 3904	2040	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp
PID 2040 wrote to memory of 3904	2040	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp
PID 2040 wrote to memory of 3904	2040	Setup_DriverDoc_2022.exe	Setup_DriverDoc_2022.tmp

C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe
C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe /VERYSILENT /NORESTART /ALLUSERS /DIR="C:/DriverDoc/" /LANG="german"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp" /SL5="$8005A,5347251,879104,C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe" /VERYSILENT /NORESTART /ALLUSERS /DIR="C:/DriverDoc/" /LANG="german"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp" /SL5="$9005A,5347251,879104,C:\Users\Admin\AppData\Local\Temp\Setup_DriverDoc_2022.exe"
4⤵
- Executes dropped EXE
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F82HO.tmp\Setup_DriverDoc_2022.tmp

Filesize
3.1MB

MD5
d70a98daf7a810ee18ce451ec673e399

SHA1
274dff37313f3fbdf82dfc4afd94582359b79fee

SHA256
9621346beee2a257b1966b6dc3f1f850d54ae0746bf1718d35c966649ac9b340

SHA512
a246aa8979a7bc1a8ae6d1c5ac637939e7ab3380484cb78a3fc98fe9ceccb51cb5d6dfe787ece6bb1420450741c0734a049849dac7242679b8660e71acf00e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R5V8C.tmp\Setup_DriverDoc_2022.tmp

Filesize
3.1MB

MD5
d70a98daf7a810ee18ce451ec673e399

SHA1
274dff37313f3fbdf82dfc4afd94582359b79fee

SHA256
9621346beee2a257b1966b6dc3f1f850d54ae0746bf1718d35c966649ac9b340

SHA512
a246aa8979a7bc1a8ae6d1c5ac637939e7ab3380484cb78a3fc98fe9ceccb51cb5d6dfe787ece6bb1420450741c0734a049849dac7242679b8660e71acf00e60

Download Submit
memory/2040-137-0x0000000000000000-mapping.dmp

Download
memory/2040-138-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2040-143-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2332-134-0x0000000000000000-mapping.dmp

Download
memory/3904-141-0x0000000000000000-mapping.dmp

Download
memory/4888-132-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4888-136-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4888-140-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download