9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2022, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe
Size

2.5MB
MD5

bf688793e16f1ea4b47485eb4e300732
SHA1

49492aac20acd8aad8653fd51cf32db2d7ed793a
SHA256

9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3
SHA512

2faf5f62f5b37c4e297b0e0138827bb513498733e3ba1cab90c5314f370cd9f3871d3a75fc0ec420e46d2dd8f21a7f29c4c32771991e4e9d7b83a4863eafefc9
SSDEEP

49152:FAkTgcnfxMgwMm+UQcBmQHVfgRzFqERllxEUutt8NblIcttRWay+lsIiG0Q5lzQp:CkIgwmUQUmc4ibtOxCct+EhiG0SlS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DownloadSave\\afozrgw.exe"	afozrgw.exe

Executes dropped EXE 4 IoCs

pid	Process
5072	tong1.exe
952	Qplayer.exe
1760	afozrgw.exe
3460	afozrgw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe

Loads dropped DLL 11 IoCs

pid	Process
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0002000000022e30-136.dat	nsis_installer_1
behavioral2/files/0x0002000000022e30-136.dat	nsis_installer_2
behavioral2/files/0x0002000000022e30-138.dat	nsis_installer_1
behavioral2/files/0x0002000000022e30-138.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
952	Qplayer.exe
5072	tong1.exe
5072	tong1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	afozrgw.exe
Token: SeIncBasePriorityPrivilege	3460	afozrgw.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5072	tong1.exe
1760	afozrgw.exe
1760	afozrgw.exe
1760	afozrgw.exe
1760	afozrgw.exe
1760	afozrgw.exe
1760	afozrgw.exe
3460	afozrgw.exe
3460	afozrgw.exe
952	Qplayer.exe
1760	afozrgw.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 5072	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	81
PID 5012 wrote to memory of 5072	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	81
PID 5012 wrote to memory of 5072	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	81
PID 5012 wrote to memory of 952	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	82
PID 5012 wrote to memory of 952	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	82
PID 5012 wrote to memory of 952	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	82
PID 5012 wrote to memory of 364	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	83
PID 5012 wrote to memory of 364	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	83
PID 5012 wrote to memory of 364	5012	9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe	83
PID 5072 wrote to memory of 1760	5072	tong1.exe	85
PID 5072 wrote to memory of 1760	5072	tong1.exe	85
PID 5072 wrote to memory of 1760	5072	tong1.exe	85
PID 1760 wrote to memory of 3460	1760	afozrgw.exe	86
PID 1760 wrote to memory of 3460	1760	afozrgw.exe	86
PID 1760 wrote to memory of 3460	1760	afozrgw.exe	86

C:\Users\Admin\AppData\Local\Temp\9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe
"C:\Users\Admin\AppData\Local\Temp\9da1a60c0e8cc6617bc6914fa90bf872d429f29737c6642dca93e89624d222a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\tong1.exe
  "C:\Users\Admin\AppData\Local\Temp\tong1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\ProgramData\DownloadSave\afozrgw.exe
    "C:\ProgramData\DownloadSave\afozrgw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\ProgramData\DownloadSave\ afozrgw.exe
      "C:\ProgramData\DownloadSave\ afozrgw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3460
- C:\Users\Admin\AppData\Local\Temp\Qplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\Qplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt
  2⤵
  PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadSave\ afozrgw.exe

Filesize
4.1MB

MD5
403c2ee3ffead73fa7dac0849a5b89c6

SHA1
87255e9856f268098ca694f56e1567035722cf83

SHA256
d8f1f1f65390e028b31bfb54fded0b41e82c2ef276342f68761463db15f09aa7

SHA512
2a5ba91364f67d095d736ad5458693297cb2657d19c70a9f996f70874fbaef0b4b22a3322cb496b6b78c7b054e143f540e377dbc59c668d00b3af7e5fc381229

Download Submit
C:\ProgramData\DownloadSave\ afozrgw.exe

Filesize
4.1MB

MD5
403c2ee3ffead73fa7dac0849a5b89c6

SHA1
87255e9856f268098ca694f56e1567035722cf83

SHA256
d8f1f1f65390e028b31bfb54fded0b41e82c2ef276342f68761463db15f09aa7

SHA512
2a5ba91364f67d095d736ad5458693297cb2657d19c70a9f996f70874fbaef0b4b22a3322cb496b6b78c7b054e143f540e377dbc59c668d00b3af7e5fc381229

Download Submit
C:\ProgramData\DownloadSave\RecordPath

Filesize
260B

MD5
50897e4b7b67f3128566afac28861c3c

SHA1
5e5b6ffe57103443a45a44715b503891b81261ba

SHA256
32650e408b7d4bd01c1ea49968bdeca4b851ee729c0c7722532a881412c6f5e1

SHA512
e8eaa04d300cfc1f89ecbd7dbafb4975418b786802450ebcb6639334dea09fe7da93a1b87b30503f413d1e0fc1d565a266b5fa6c2485afa38e4c2ab56ad23bf1

Download Submit
C:\ProgramData\DownloadSave\afozrgw.exe

Filesize
4.1MB

MD5
403c2ee3ffead73fa7dac0849a5b89c6

SHA1
87255e9856f268098ca694f56e1567035722cf83

SHA256
d8f1f1f65390e028b31bfb54fded0b41e82c2ef276342f68761463db15f09aa7

SHA512
2a5ba91364f67d095d736ad5458693297cb2657d19c70a9f996f70874fbaef0b4b22a3322cb496b6b78c7b054e143f540e377dbc59c668d00b3af7e5fc381229

Download Submit
C:\ProgramData\DownloadSave\afozrgw.exe

Filesize
4.1MB

MD5
403c2ee3ffead73fa7dac0849a5b89c6

SHA1
87255e9856f268098ca694f56e1567035722cf83

SHA256
d8f1f1f65390e028b31bfb54fded0b41e82c2ef276342f68761463db15f09aa7

SHA512
2a5ba91364f67d095d736ad5458693297cb2657d19c70a9f996f70874fbaef0b4b22a3322cb496b6b78c7b054e143f540e377dbc59c668d00b3af7e5fc381229

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qplayer.exe

Filesize
2.3MB

MD5
72b446ed938b0d1c16423a12c8cabbef

SHA1
a8fe46e9c80a93e1e1c15ca23f03573cbf425d28

SHA256
f2e87337c1805180cae476de3dbff365d3614e079a4418ab2cdb151d8936812a

SHA512
34fc30bf8791cfaf112ac65f752a34e2ec7b297b8cf1c5f1b32c5090cb537bb5548e84e68480d9265c536ac68d4d2b380da221b28634f7fdf39bb642690db017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qplayer.exe

Filesize
2.3MB

MD5
72b446ed938b0d1c16423a12c8cabbef

SHA1
a8fe46e9c80a93e1e1c15ca23f03573cbf425d28

SHA256
f2e87337c1805180cae476de3dbff365d3614e079a4418ab2cdb151d8936812a

SHA512
34fc30bf8791cfaf112ac65f752a34e2ec7b297b8cf1c5f1b32c5090cb537bb5548e84e68480d9265c536ac68d4d2b380da221b28634f7fdf39bb642690db017

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\ButtonLinker.dll

Filesize
7KB

MD5
dd85ac7d85c92dd0e3cc17dfd4890f54

SHA1
a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa

SHA256
27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504

SHA512
e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\ButtonLinker.dll

Filesize
7KB

MD5
dd85ac7d85c92dd0e3cc17dfd4890f54

SHA1
a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa

SHA256
27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504

SHA512
e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\WaterCtrl.dll

Filesize
16KB

MD5
aefd35a23680fda066a05e4b5f6dc88e

SHA1
8278021d560722701c1f3b91b85ed96bf34bed0c

SHA256
bbc65291a3bcfb6559c391e251bca12d6b935a8a8de0825443642aa2b5e39e78

SHA512
7ac32589e0bf8889e36184058e1f2ae0a0b6c701188ed18fbaf5b45afcff06eecb760d29e342953d50091fb14ef2ee8fb3285a1ec2c1dadec3ecea18fcfe56a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\WaterCtrl.dll

Filesize
16KB

MD5
aefd35a23680fda066a05e4b5f6dc88e

SHA1
8278021d560722701c1f3b91b85ed96bf34bed0c

SHA256
bbc65291a3bcfb6559c391e251bca12d6b935a8a8de0825443642aa2b5e39e78

SHA512
7ac32589e0bf8889e36184058e1f2ae0a0b6c701188ed18fbaf5b45afcff06eecb760d29e342953d50091fb14ef2ee8fb3285a1ec2c1dadec3ecea18fcfe56a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnDB63.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tong1.exe

Filesize
129KB

MD5
1ee1c4b2a586766a90c1dc03c20a412a

SHA1
be742c7aa2d21740f36a8bb85b10dc10eff9a819

SHA256
23422dfd1ed96acedbadd7557b3f5713ab335c070229d708eedd5c653c855bfd

SHA512
b19e7d480cb1e9fd0a359c69aa9f431c76c25e8db0a2e1cf179a64eab5e0735be5c1160adbe045dbe5d4da96215ec0b1f945a42688f7775e149e4069bb904581

Download Submit
C:\Users\Admin\AppData\Local\Temp\tong1.exe

Filesize
129KB

MD5
1ee1c4b2a586766a90c1dc03c20a412a

SHA1
be742c7aa2d21740f36a8bb85b10dc10eff9a819

SHA256
23422dfd1ed96acedbadd7557b3f5713ab335c070229d708eedd5c653c855bfd

SHA512
b19e7d480cb1e9fd0a359c69aa9f431c76c25e8db0a2e1cf179a64eab5e0735be5c1160adbe045dbe5d4da96215ec0b1f945a42688f7775e149e4069bb904581

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt

Filesize
254B

MD5
19f26c41c8b56100a71411fa62609215

SHA1
c9f1c6fd229509f8a022fea8e41784f9d130afff

SHA256
5836306b3c9df2c097176fefebbc1ab7a93e92c96f60e9889f02cc27f3cb75f8

SHA512
56cdb4f64bd4005572e4d4f9c9f50c6b43499f76f05aaed671bf9a8daa9e7d8a295163b9f2d61523ae1a1cef510c4c5e97f28216f844ce164b2b9ac1b6c7a4e5

Download Submit
memory/952-156-0x0000000002311000-0x0000000002313000-memory.dmp

Filesize
8KB

Download
memory/952-159-0x0000000002321000-0x0000000002323000-memory.dmp

Filesize
8KB

Download