26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 03:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
Size

872KB
MD5

108deb435d73d5c48c44772369afc220
SHA1

19b8fba12ec6a31c48288ffbb4692e2a14f4ccf9
SHA256

26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7
SHA512

448994c2841f4e4669a5dbf22d1675c036a99f262bd98c7a685049700cefd2854ba0f3108770bce821412d6ef498b24d51b6876c8fd2ef650cbfe4029c2023ef
SSDEEP

6144:l8XXRUw9Oz5+iUPO4RJtvRx7HfnSzObtkLo5vOFTaLTGu0yvHcr+:unRy+vvtHfRVxOFuPyAHcq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2248	pwyrqtqlzgi.exe
4356	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4108	2248	WerFault.exe	80
5116	4356	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2248	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	80
PID 2548 wrote to memory of 2248	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	80
PID 2548 wrote to memory of 2248	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	80
PID 2548 wrote to memory of 4356	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	91
PID 2548 wrote to memory of 4356	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	91
PID 2548 wrote to memory of 4356	2548	26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe	91

C:\Users\Admin\AppData\Local\Temp\26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe
"C:\Users\Admin\AppData\Local\Temp\26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe*"
  2⤵
  - Executes dropped EXE
  PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 344
    3⤵
    - Program crash
    PID:4108
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\26bd8eb8f9c7284710e6adc8f15c5aa692167b35464a3df7cf13a52fa50e14c7.exe"
  2⤵
  - Executes dropped EXE
  PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 176
    3⤵
    - Program crash
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2248 -ip 2248
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4356 -ip 4356
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
6d08b79af4fd69dca87044205e11f6d8

SHA1
289acaeee807f153b18854dfbb66211e10f501e7

SHA256
a87b2530d5a91f2daa91f49289636a9e56882f29b57bef9bafaebf2ceec05d24

SHA512
e9ccd21fe428c1c4bfae9bd8b03ab67d14a5fb71a3efc39192bd471bbf3a4e96c3d07350da1063cf3cff25097c745f59eaa92c8b71c3d0d4cf88b3824c9b7daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
6d08b79af4fd69dca87044205e11f6d8

SHA1
289acaeee807f153b18854dfbb66211e10f501e7

SHA256
a87b2530d5a91f2daa91f49289636a9e56882f29b57bef9bafaebf2ceec05d24

SHA512
e9ccd21fe428c1c4bfae9bd8b03ab67d14a5fb71a3efc39192bd471bbf3a4e96c3d07350da1063cf3cff25097c745f59eaa92c8b71c3d0d4cf88b3824c9b7daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
6d08b79af4fd69dca87044205e11f6d8

SHA1
289acaeee807f153b18854dfbb66211e10f501e7

SHA256
a87b2530d5a91f2daa91f49289636a9e56882f29b57bef9bafaebf2ceec05d24

SHA512
e9ccd21fe428c1c4bfae9bd8b03ab67d14a5fb71a3efc39192bd471bbf3a4e96c3d07350da1063cf3cff25097c745f59eaa92c8b71c3d0d4cf88b3824c9b7daf

Download Submit