f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4

Analysis

max time kernel
159s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
Size

148KB
MD5

00f2500cb259f8bc1f00106a970846a0
SHA1

bbc91326fa035822a1c806f989fbf89ea6655b9c
SHA256

f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4
SHA512

239ef5290636549bd379f4c363f38a800b3c547c2ae96322b678f5e56e5ab34de3f2072bfe4805d25e2bc2365ab9cf8e297405eea8f19b4a123badc1d64ff703
SSDEEP

1536:Cwsw9ukAf70iXoLSMwa0JKHRpsjmH/78vP+1H5A6jYHHwBj:/swXFiXoLSZJ8sjo8+1Hq6V

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	4232	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	system.exe
3600	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4160	Rundll32.exe
4232	Rundll32.exe
4232	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
File created	C:\Windows\SysWOW64\krefhfaa.dll	system.exe
File created	C:\Windows\SysWOW64\mwqghfaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3336	sc.exe
4896	sc.exe
4292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4160	Rundll32.exe
4232	Rundll32.exe
4232	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1588	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	83
PID 1548 wrote to memory of 1588	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	83
PID 1548 wrote to memory of 1588	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	83
PID 1588 wrote to memory of 4160	1588	system.exe	84
PID 1588 wrote to memory of 4160	1588	system.exe	84
PID 1588 wrote to memory of 4160	1588	system.exe	84
PID 4160 wrote to memory of 4392	4160	Rundll32.exe	85
PID 4160 wrote to memory of 4392	4160	Rundll32.exe	85
PID 4160 wrote to memory of 4392	4160	Rundll32.exe	85
PID 4160 wrote to memory of 2624	4160	Rundll32.exe	87
PID 4160 wrote to memory of 2624	4160	Rundll32.exe	87
PID 4160 wrote to memory of 2624	4160	Rundll32.exe	87
PID 4160 wrote to memory of 3336	4160	Rundll32.exe	88
PID 4160 wrote to memory of 3336	4160	Rundll32.exe	88
PID 4160 wrote to memory of 3336	4160	Rundll32.exe	88
PID 4160 wrote to memory of 4896	4160	Rundll32.exe	89
PID 4160 wrote to memory of 4896	4160	Rundll32.exe	89
PID 4160 wrote to memory of 4896	4160	Rundll32.exe	89
PID 2624 wrote to memory of 4192	2624	net.exe	94
PID 2624 wrote to memory of 4192	2624	net.exe	94
PID 2624 wrote to memory of 4192	2624	net.exe	94
PID 4392 wrote to memory of 744	4392	net.exe	95
PID 4392 wrote to memory of 744	4392	net.exe	95
PID 4392 wrote to memory of 744	4392	net.exe	95
PID 4160 wrote to memory of 4292	4160	Rundll32.exe	96
PID 4160 wrote to memory of 4292	4160	Rundll32.exe	96
PID 4160 wrote to memory of 4292	4160	Rundll32.exe	96
PID 1588 wrote to memory of 4232	1588	system.exe	98
PID 1588 wrote to memory of 4232	1588	system.exe	98
PID 1588 wrote to memory of 4232	1588	system.exe	98
PID 1548 wrote to memory of 3600	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	99
PID 1548 wrote to memory of 3600	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	99
PID 1548 wrote to memory of 3600	1548	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	99

C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
"C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\krefhfaa.dll Exucute
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:744
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:4192
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3336
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:4896
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:4292
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\mwqghfaa.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
- C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
  C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
  2⤵
  - Executes dropped EXE
  PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1D2.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Filesize
60KB

MD5
8e7ec478235b9f5108562ee5d191f096

SHA1
2cbd80b769557a57615269e303f84c6e9ba89630

SHA256
d7d3e7d5d1aed1f383f4d0e77dcdfd2a29067de796ca8d00d5645316742f498a

SHA512
dd647102290a0257cd7e2de2a7db0e420e92135f5987a8223366842ab43acc10977aa11f2e1348f225c81442e81fff79b1bfbd5359a44bce0ac4131d26be3e08

Download Submit
C:\Windows\SysWOW64\krefhfaa.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
C:\Windows\SysWOW64\krefhfaa.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
C:\Windows\SysWOW64\mwqghfaa.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
C:\Windows\SysWOW64\mwqghfaa.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
memory/1548-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download