b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c

Analysis

max time kernel
168s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
Size

134KB
MD5

040dc13025bc1d4d4cc4ad36bbfe98e7
SHA1

76a9a0f03ec5b9c15a5beb50fb52d80f6c3deb0c
SHA256

b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c
SHA512

2b6a3937d247ee4a75f44ed60df5e6fa514c80b8c1f330c5fee22bf18155217156167ff1e2236b88af133e434628a9d9e342e42f99bdacd3a8cf3b49ffdb2429
SSDEEP

3072:Dxaw7lEvFCsE8uKqMJBrHnsAWNqubkdBytQlaVrAUdB1/:TlFstuKqMJ9Hn5WNqub/tpV841

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3216	trys.exe
4184	trys.exe
5104	trys.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-132-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2100-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2100-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2100-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3672-139-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x0007000000022f66-147.dat	upx
behavioral2/files/0x0007000000022f66-148.dat	upx
behavioral2/memory/3216-151-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x0007000000022f66-154.dat	upx
behavioral2/memory/5104-157-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/files/0x0007000000022f66-159.dat	upx
behavioral2/memory/5104-163-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/3216-162-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/5104-165-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/2100-166-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5104-168-0x0000000013140000-0x0000000013162000-memory.dmp	upx
behavioral2/memory/5104-169-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4184-170-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4184-171-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5104-172-0x0000000013140000-0x0000000013162000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Windows\\trys.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3672 set thread context of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3216 set thread context of 4184	3216	trys.exe	86
PID 3216 set thread context of 5104	3216	trys.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\trys.exe	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
File opened for modification	C:\Windows\trys.exe	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe
Token: SeDebugPrivilege	4184	trys.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
3216	trys.exe
3216	trys.exe
4184	trys.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 3672 wrote to memory of 2100	3672	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	80
PID 2100 wrote to memory of 3604	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	81
PID 2100 wrote to memory of 3604	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	81
PID 2100 wrote to memory of 3604	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	81
PID 3604 wrote to memory of 4964	3604	cmd.exe	84
PID 3604 wrote to memory of 4964	3604	cmd.exe	84
PID 3604 wrote to memory of 4964	3604	cmd.exe	84
PID 2100 wrote to memory of 3216	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	85
PID 2100 wrote to memory of 3216	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	85
PID 2100 wrote to memory of 3216	2100	b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe	85
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 4184	3216	trys.exe	86
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87
PID 3216 wrote to memory of 5104	3216	trys.exe	87

C:\Users\Admin\AppData\Local\Temp\b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
"C:\Users\Admin\AppData\Local\Temp\b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe
  "C:\Users\Admin\AppData\Local\Temp\b04badb7457a228a695578b858cb7b24ed2968ab818f6a3edc9ed55e0786738c.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QDHDB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Windows\trys.exe" /f
      4⤵
      Adds Run key to start application
      PID:4964
- - C:\Windows\trys.exe
    "C:\Windows\trys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4184
  - - C:\Windows\trys.exe
      "C:\Windows\trys.exe"
      4⤵
      Executes dropped EXE
      PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QDHDB.bat

Filesize
115B

MD5
721f40b829b989f3ed90feba41b75b51

SHA1
0bc3e723b65a94c6ffbb8e0b32c9aaa24d10fefd

SHA256
641cbc8ccc1d7ffe1030ff40ea930cad57a855c5fa275bff57745b62d4545a15

SHA512
d11fa35712baa83380b1515242d85c1ce84ade1bd3e62144906b40c6e2d42c748d7813faaf05e5514048be3ae47fb29986e0a808c93eabf7128f31300c4d972f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
ad81bc3cd59b9e9aea316f2b72efc8e5

SHA1
4c1c91832416c98603de17b15d79b3306823e46a

SHA256
16ef9cded0de5ad4bcb60e51cbda1013d60e56c0b3f99e9f17e0e14e2e5a3ada

SHA512
9d561785f38de1de5a909f6b47af525a13eeb95d37f1fdae537b8e5fca1dc318b7a3949fb03d7ec933f659ecd69257e04134ca3a91eed126d20c2dfeac276d3f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
ad81bc3cd59b9e9aea316f2b72efc8e5

SHA1
4c1c91832416c98603de17b15d79b3306823e46a

SHA256
16ef9cded0de5ad4bcb60e51cbda1013d60e56c0b3f99e9f17e0e14e2e5a3ada

SHA512
9d561785f38de1de5a909f6b47af525a13eeb95d37f1fdae537b8e5fca1dc318b7a3949fb03d7ec933f659ecd69257e04134ca3a91eed126d20c2dfeac276d3f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
ad81bc3cd59b9e9aea316f2b72efc8e5

SHA1
4c1c91832416c98603de17b15d79b3306823e46a

SHA256
16ef9cded0de5ad4bcb60e51cbda1013d60e56c0b3f99e9f17e0e14e2e5a3ada

SHA512
9d561785f38de1de5a909f6b47af525a13eeb95d37f1fdae537b8e5fca1dc318b7a3949fb03d7ec933f659ecd69257e04134ca3a91eed126d20c2dfeac276d3f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
ad81bc3cd59b9e9aea316f2b72efc8e5

SHA1
4c1c91832416c98603de17b15d79b3306823e46a

SHA256
16ef9cded0de5ad4bcb60e51cbda1013d60e56c0b3f99e9f17e0e14e2e5a3ada

SHA512
9d561785f38de1de5a909f6b47af525a13eeb95d37f1fdae537b8e5fca1dc318b7a3949fb03d7ec933f659ecd69257e04134ca3a91eed126d20c2dfeac276d3f

Download Submit
memory/2100-135-0x0000000000000000-mapping.dmp

Download
memory/2100-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2100-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2100-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2100-166-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3216-162-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3216-146-0x0000000000000000-mapping.dmp

Download
memory/3216-151-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3604-143-0x0000000000000000-mapping.dmp

Download
memory/3672-139-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3672-132-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4184-152-0x0000000000000000-mapping.dmp

Download
memory/4184-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4184-170-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4964-145-0x0000000000000000-mapping.dmp

Download
memory/5104-165-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/5104-163-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/5104-168-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/5104-169-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5104-157-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download
memory/5104-156-0x0000000000000000-mapping.dmp

Download
memory/5104-172-0x0000000013140000-0x0000000013162000-memory.dmp

Filesize
136KB

Download