d24ba05eaaa3cbf9b9d1216c2ca721a974cb63d3f667b87742c2efaa77c190b2

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.6MB
MD5

1596fe35ed70e111bdc2eb33fc6d1e2a
SHA1

5a4738176a3b8d0446f71487b40b8716bfc81d0a
SHA256

d24ba05eaaa3cbf9b9d1216c2ca721a974cb63d3f667b87742c2efaa77c190b2
SHA512

d73af05c907fd7382d1a207cbe7a6d7add3156e41404ab29393d1ed664c956759b3cfb8c1c0821d3f266227caed720fe719fb8197b4b20a7e7d90eca876a722a
SSDEEP

98304:QMDtIXLr06AdfEThF35Pzu+MDtIXLr06AdfEThF35PzuV0:ArmEdF3vrmEdF3y0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tmp.exetmp.exe

pid process

4432 tmp.exe
364 tmp.exe

pid	process
4432	tmp.exe
364	tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 4432 set thread context of 364 4432 tmp.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5036 364 WerFault.exe tmp.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

220 schtasks.exe
4272 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1140 timeout.exe
4256 timeout.exe

description	pid	process	target process
PID 4432 set thread context of 364	4432	tmp.exe	tmp.exe

pid	pid_target	process	target process
5036	364	WerFault.exe	tmp.exe

pid	process
220	schtasks.exe
4272	schtasks.exe

pid	process
1140	timeout.exe
4256	timeout.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

tmp.execmd.execmd.exetmp.execmd.execmd.exe

description	pid	process	target process
PID 4844 wrote to memory of 2168	4844	tmp.exe	cmd.exe
PID 4844 wrote to memory of 2168	4844	tmp.exe	cmd.exe
PID 4844 wrote to memory of 2168	4844	tmp.exe	cmd.exe
PID 4844 wrote to memory of 4752	4844	tmp.exe	cmd.exe
PID 4844 wrote to memory of 4752	4844	tmp.exe	cmd.exe
PID 4844 wrote to memory of 4752	4844	tmp.exe	cmd.exe
PID 2168 wrote to memory of 1900	2168	cmd.exe	schtasks.exe
PID 2168 wrote to memory of 1900	2168	cmd.exe	schtasks.exe
PID 2168 wrote to memory of 1900	2168	cmd.exe	schtasks.exe
PID 4752 wrote to memory of 2900	4752	cmd.exe	chcp.com
PID 4752 wrote to memory of 2900	4752	cmd.exe	chcp.com
PID 4752 wrote to memory of 2900	4752	cmd.exe	chcp.com
PID 2168 wrote to memory of 4272	2168	cmd.exe	schtasks.exe
PID 2168 wrote to memory of 4272	2168	cmd.exe	schtasks.exe
PID 2168 wrote to memory of 4272	2168	cmd.exe	schtasks.exe
PID 4752 wrote to memory of 4432	4752	cmd.exe	tmp.exe
PID 4752 wrote to memory of 4432	4752	cmd.exe	tmp.exe
PID 4752 wrote to memory of 4432	4752	cmd.exe	tmp.exe
PID 4432 wrote to memory of 364	4432	tmp.exe	tmp.exe
PID 4432 wrote to memory of 364	4432	tmp.exe	tmp.exe
PID 4432 wrote to memory of 364	4432	tmp.exe	tmp.exe
PID 4432 wrote to memory of 364	4432	tmp.exe	tmp.exe
PID 4752 wrote to memory of 1140	4752	cmd.exe	timeout.exe
PID 4752 wrote to memory of 1140	4752	cmd.exe	timeout.exe
PID 4752 wrote to memory of 1140	4752	cmd.exe	timeout.exe
PID 4432 wrote to memory of 2868	4432	tmp.exe	cmd.exe
PID 4432 wrote to memory of 2868	4432	tmp.exe	cmd.exe
PID 4432 wrote to memory of 2868	4432	tmp.exe	cmd.exe
PID 2868 wrote to memory of 3720	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 3720	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 3720	2868	cmd.exe	schtasks.exe
PID 4432 wrote to memory of 4892	4432	tmp.exe	cmd.exe
PID 4432 wrote to memory of 4892	4432	tmp.exe	cmd.exe
PID 4432 wrote to memory of 4892	4432	tmp.exe	cmd.exe
PID 4892 wrote to memory of 2556	4892	cmd.exe	chcp.com
PID 4892 wrote to memory of 2556	4892	cmd.exe	chcp.com
PID 4892 wrote to memory of 2556	4892	cmd.exe	chcp.com
PID 2868 wrote to memory of 220	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 220	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 220	2868	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 4256	4892	cmd.exe	timeout.exe
PID 4892 wrote to memory of 4256	4892	cmd.exe	timeout.exe
PID 4892 wrote to memory of 4256	4892	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe2022112383317197.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
3⤵
PID:1900

C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx2022112383317197.xml"
3⤵
- Creates scheduled task(s)
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb2022112383317197.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
4⤵
- Executes dropped EXE
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 404
5⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe2022112383322525.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
5⤵
PID:3720

C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx2022112383322525.xml"
5⤵
- Creates scheduled task(s)
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb2022112383322525.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:2556

C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 364 -ip 364
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
4.6MB

MD5
58597678b9e1d3b002c0f2ed5f1810e7

SHA1
702ab4a329f5d46da2d12c291fc463b7636018db

SHA256
73a1f4e366edab4cdddaa770266eefe8d8e79e6c0c918cf1f75e4596179390e3

SHA512
1d91eb0c7042b3f6562ba193d67b4739daec9698c9d9633b769dcb191680a53c518227a633949c3315bdd9de9f0e1f4f187618d491f04aa962834f92e5f1bb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
4.6MB

MD5
58597678b9e1d3b002c0f2ed5f1810e7

SHA1
702ab4a329f5d46da2d12c291fc463b7636018db

SHA256
73a1f4e366edab4cdddaa770266eefe8d8e79e6c0c918cf1f75e4596179390e3

SHA512
1d91eb0c7042b3f6562ba193d67b4739daec9698c9d9633b769dcb191680a53c518227a633949c3315bdd9de9f0e1f4f187618d491f04aa962834f92e5f1bb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb2022112383317197.bat

Filesize
516B

MD5
5f87c498f1b955c589e22b114e8f44b2

SHA1
2ec7e4a223870665e27252c56b2e6bb6a3efcc3b

SHA256
0c4a68a4844bfb35b66228aad342b1d7f2e23f84a8f6b61f65bb6de440780ac7

SHA512
85fbc045f1deb4d23bd70638d2c370b267177ac856c3d4ec1dbaa363a4c49ef318e5f1482716883c63d0238ea3d44b74596e4bdf61c4939453e141f4ed27be6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb2022112383322525.bat

Filesize
516B

MD5
825a23528021a1c1098ee7f61c65ec46

SHA1
59ab15a615879cc88f803d5f8314ee0ad0dc3716

SHA256
d6f4a063bde1224e33f1117e8b31e2736c4b2f04319b8f7518076557710325dc

SHA512
63c1a6e0413719fb459bde8a039c6426f39340c3ff15dd63a0fb9e8d0ff8af5471837db131ebe22b0f2ab77b452ee446df77549388ddc09c37fc74fc12d8ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe2022112383317197.bat

Filesize
342B

MD5
2742619d72eda515ee9f30e50dd718e3

SHA1
b332d412c75742f3a1527decb7cebfce3af6a84d

SHA256
674271352074c6b9c8361c08dac9bddf670c4fb9a987de7ec9690b684e8d167b

SHA512
a77cc7ff00a75970fcff7f45a4d61946daea290e844a2a2dab7dae982bda177dc0db83c8df64936c915b3ee570b6d700bfd23aec5789cb71d79bcedc09126c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe2022112383322525.bat

Filesize
342B

MD5
8b303edc41b7d796e3185c192c864d13

SHA1
295da07e71c4f87f1dcf504643dbf9c01a18670f

SHA256
ad2ec2da2c8dd4ec90180c584be3a75c81645e9a8948a193862865d617207831

SHA512
75d1f207407e316452aaf596137d466195ad817c79619bca08ea665740f7ef4b6b966775207e7f4bfa2f8ae7d0e97071ebfd39ceda6b83f9a09a8bdd481159f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2022112383317197.tmp

Filesize
4.6MB

MD5
58597678b9e1d3b002c0f2ed5f1810e7

SHA1
702ab4a329f5d46da2d12c291fc463b7636018db

SHA256
73a1f4e366edab4cdddaa770266eefe8d8e79e6c0c918cf1f75e4596179390e3

SHA512
1d91eb0c7042b3f6562ba193d67b4739daec9698c9d9633b769dcb191680a53c518227a633949c3315bdd9de9f0e1f4f187618d491f04aa962834f92e5f1bb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze2022112383322525.tmp

Filesize
4.6MB

MD5
fe6029a51b3272808bd1c728a0506612

SHA1
e6e461ba65b75a67f8b5916afb429a68ecd97546

SHA256
e18b04ce774665e2dbd850e4bc8954c7a7c2e748b8d552b750416b2be653050f

SHA512
ef362055eb50b3dd3186b948889c9a7e9b681f21cd561a6a94c34faed24200a6f8f5a6dfc1bcde0ca31d40d7ff49305aaea67dcfee7167c5f30da945e1813de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx2022112383317197.xml

Filesize
1KB

MD5
22643ea7e9c335d7dc1370f6644e8de1

SHA1
6c31429eddd2e7918a0e8ee69d95d75f8d73b591

SHA256
941f93e3edd7b2ec499fe591e6ee1b86441c54c4bf578401f853fcec0967fc20

SHA512
5107abbdf02bfa11038382987fdf5f64efb29ffd8d1ccd7f5380ca48568eab6021f1e7d680ae49c8895df09b6367ad659141d7a8250477befded13d85f53ceec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx2022112383322525.xml

Filesize
1KB

MD5
22643ea7e9c335d7dc1370f6644e8de1

SHA1
6c31429eddd2e7918a0e8ee69d95d75f8d73b591

SHA256
941f93e3edd7b2ec499fe591e6ee1b86441c54c4bf578401f853fcec0967fc20

SHA512
5107abbdf02bfa11038382987fdf5f64efb29ffd8d1ccd7f5380ca48568eab6021f1e7d680ae49c8895df09b6367ad659141d7a8250477befded13d85f53ceec

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

Filesize
2.2MB

MD5
73ad6d009f1c53c23f5d068caa805299

SHA1
f50493f49c3b2b3697b5eb571738dbc70383cac0

SHA256
a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae

SHA512
1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920

Download Submit
memory/220-154-0x0000000000000000-mapping.dmp

Download
memory/364-143-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/364-145-0x0000000000000000-mapping.dmp

Download
memory/1140-144-0x0000000000000000-mapping.dmp

Download
memory/1900-135-0x0000000000000000-mapping.dmp

Download
memory/2168-132-0x0000000000000000-mapping.dmp

Download
memory/2556-153-0x0000000000000000-mapping.dmp

Download
memory/2868-148-0x0000000000000000-mapping.dmp

Download
memory/2900-137-0x0000000000000000-mapping.dmp

Download
memory/3720-150-0x0000000000000000-mapping.dmp

Download
memory/4256-157-0x0000000000000000-mapping.dmp

Download
memory/4272-139-0x0000000000000000-mapping.dmp

Download
memory/4432-141-0x0000000000000000-mapping.dmp

Download
memory/4752-133-0x0000000000000000-mapping.dmp

Download
memory/4892-151-0x0000000000000000-mapping.dmp

Download