708a9483a0ded64e0bf39e3698eca4eb3ab681dc13296a0c352ab1b244c288c6

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

971KB
MD5

7d89eba198b02d7060602fde3a1457a0
SHA1

b96fddf85dd0fc210e8df6bbd18cab8b3742c0c4
SHA256

708a9483a0ded64e0bf39e3698eca4eb3ab681dc13296a0c352ab1b244c288c6
SHA512

2d855b4b7f4361128557c79dbca7caab89c9f635027ff9c7c4cb698242b155103aee37443e42bb87e238437b3fa0f1a26ccdf1300edc1b237b452913357b87d9
SSDEEP

24576:6czJqVSFrhjmiE/DlSlPhMFQn7H7z84MMAJyzeV:6cMghSi0EcUDE4mAO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
1360	server_et.exe
860	UOSU.exe
2876	mservice32_t.exe
4128	server_et.exe
1976	UOSU.exe
4964	server_et.exe
2324	UOSU.exe
3828	server_et.exe
4256	UOSU.exe
4368	server_et.exe
3756	UOSU.exe
3432	server_et.exe
3088	UOSU.exe
3912	server_et.exe
4048	UOSU.exe
3944	server_et.exe
2708	UOSU.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Blocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	UOSU.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mservice32_t.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update	mservice32_t.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\UpdateT = "C:\\Users\\Admin\\AppData\\Roaming\\mservice32_t.exe"	mservice32_t.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1360	1928	Trojan-Ransom.Win32.Blocker.exe	81
PID 1928 wrote to memory of 1360	1928	Trojan-Ransom.Win32.Blocker.exe	81
PID 1928 wrote to memory of 1360	1928	Trojan-Ransom.Win32.Blocker.exe	81
PID 1928 wrote to memory of 860	1928	Trojan-Ransom.Win32.Blocker.exe	82
PID 1928 wrote to memory of 860	1928	Trojan-Ransom.Win32.Blocker.exe	82
PID 1928 wrote to memory of 860	1928	Trojan-Ransom.Win32.Blocker.exe	82
PID 1360 wrote to memory of 2876	1360	server_et.exe	83
PID 1360 wrote to memory of 2876	1360	server_et.exe	83
PID 1360 wrote to memory of 2876	1360	server_et.exe	83
PID 860 wrote to memory of 4128	860	UOSU.exe	84
PID 860 wrote to memory of 4128	860	UOSU.exe	84
PID 860 wrote to memory of 4128	860	UOSU.exe	84
PID 860 wrote to memory of 1976	860	UOSU.exe	85
PID 860 wrote to memory of 1976	860	UOSU.exe	85
PID 860 wrote to memory of 1976	860	UOSU.exe	85
PID 1976 wrote to memory of 4964	1976	UOSU.exe	86
PID 1976 wrote to memory of 4964	1976	UOSU.exe	86
PID 1976 wrote to memory of 4964	1976	UOSU.exe	86
PID 1976 wrote to memory of 2324	1976	UOSU.exe	87
PID 1976 wrote to memory of 2324	1976	UOSU.exe	87
PID 1976 wrote to memory of 2324	1976	UOSU.exe	87
PID 2324 wrote to memory of 3828	2324	UOSU.exe	88
PID 2324 wrote to memory of 3828	2324	UOSU.exe	88
PID 2324 wrote to memory of 3828	2324	UOSU.exe	88
PID 2324 wrote to memory of 4256	2324	UOSU.exe	89
PID 2324 wrote to memory of 4256	2324	UOSU.exe	89
PID 2324 wrote to memory of 4256	2324	UOSU.exe	89
PID 4256 wrote to memory of 4368	4256	UOSU.exe	90
PID 4256 wrote to memory of 4368	4256	UOSU.exe	90
PID 4256 wrote to memory of 4368	4256	UOSU.exe	90
PID 4256 wrote to memory of 3756	4256	UOSU.exe	91
PID 4256 wrote to memory of 3756	4256	UOSU.exe	91
PID 4256 wrote to memory of 3756	4256	UOSU.exe	91
PID 3756 wrote to memory of 3432	3756	UOSU.exe	92
PID 3756 wrote to memory of 3432	3756	UOSU.exe	92
PID 3756 wrote to memory of 3432	3756	UOSU.exe	92
PID 3756 wrote to memory of 3088	3756	UOSU.exe	93
PID 3756 wrote to memory of 3088	3756	UOSU.exe	93
PID 3756 wrote to memory of 3088	3756	UOSU.exe	93
PID 3088 wrote to memory of 3912	3088	UOSU.exe	94
PID 3088 wrote to memory of 3912	3088	UOSU.exe	94
PID 3088 wrote to memory of 3912	3088	UOSU.exe	94
PID 3088 wrote to memory of 4048	3088	UOSU.exe	95
PID 3088 wrote to memory of 4048	3088	UOSU.exe	95
PID 3088 wrote to memory of 4048	3088	UOSU.exe	95
PID 4048 wrote to memory of 3944	4048	UOSU.exe	96
PID 4048 wrote to memory of 3944	4048	UOSU.exe	96
PID 4048 wrote to memory of 3944	4048	UOSU.exe	96
PID 4048 wrote to memory of 2708	4048	UOSU.exe	97
PID 4048 wrote to memory of 2708	4048	UOSU.exe	97
PID 4048 wrote to memory of 2708	4048	UOSU.exe	97

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\server_et.exe
  "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Roaming\mservice32_t.exe
    "C:\Users\Admin\AppData\Roaming\mservice32_t.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\UOSU.exe
  "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\server_et.exe
    "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
    3⤵
    - Executes dropped EXE
    PID:4128
- - C:\Users\Admin\AppData\Local\Temp\UOSU.exe
    "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\server_et.exe
      "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
      4⤵
      Executes dropped EXE
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\UOSU.exe
      "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\server_et.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
        5⤵
        Executes dropped EXE
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\UOSU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\server_et.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
        6⤵
        Executes dropped EXE
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\UOSU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\server_et.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
        7⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\UOSU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\server_et.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
        8⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\UOSU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\server_et.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
        9⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\UOSU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOSU.exe"
        9⤵
        Executes dropped EXE
        
        PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOSU.exe

Filesize
598KB

MD5
4aa0357c0a3240a55aec3ca32c491dcf

SHA1
ce83c6b5efdbd342bbfd1ba3c73c014124b540da

SHA256
66e18dd5a665dbf57624150a88af9e187fc0112b25c0606905c5ba6236417271

SHA512
ad02568548f140fb501551dfc267d54a75d5f909800a2fc0de0de585d7ab41a4fc91f99bab2f9d2596ebc6b6afa302dcd54d8fe55d24385832917e78fba281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Roaming\mservice32_t.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit
C:\Users\Admin\AppData\Roaming\mservice32_t.exe

Filesize
903KB

MD5
194b1a87dbfdc2d58c28b5279ab5c715

SHA1
8c642507ca2bc0a01109e1cdf74c09ccf16c1910

SHA256
d9235b91b84dcf8a26393c68b53d15c6782ad14c95c6933c9e1e1edbe0d15742

SHA512
9fb18426c8dc3d0edf71478a194e83f3ac47e2e989457503b04ad577aa295d46d181da836883b2d8c0488f5ce40c9bdf55bc860288d49af08c19f337f7065207

Download Submit