8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266

General

Target

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
Size

379KB
MD5

6ee26437cc104fb116f52a18b8a24cee
SHA1

611542b360253ddb71ac81364d6cd6293a20d85f
SHA256

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266
SHA512

3fba076431cfe2b939233726d78e3e878fdffe373dc32b57fc065339053093c0141249f37e30bdbee3e86e5c09a703891f052285b683e25ca36e0b19f55d552a
SSDEEP

6144:X50B/5FeaPRp2CcHTSs/yaBgCDLbor06APSx367o/d3A7N0EuuSPEjesIxTV2qo:X50B/feaz+TJ/ya9N6APw/9u0NPuIz2p

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

_setup.exe

pid process

3128 _setup.exe

pid	process
3128	_setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4088-132-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/4088-133-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/4088-140-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

Drops file in Windows directory 3 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe_setup.exe

description	ioc	process
File created	\??\c:\windows\system\risoz\config.ini	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
File created	\??\c:\windows\system\risoz\_setup.exe	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
File opened for modification	C:\windows\system\risoz\Log\20221123.log	_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description pid process

Token: SeDebugPrivilege 4088 8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description	pid	process
Token: SeDebugPrivilege	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

pid	process
4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description	pid	process	target process
PID 4088 wrote to memory of 3128	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 4088 wrote to memory of 3128	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 4088 wrote to memory of 3128	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 4088 wrote to memory of 4984	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe
PID 4088 wrote to memory of 4984	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe
PID 4088 wrote to memory of 4984	4088	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
"C:\Users\Admin\AppData\Local\Temp\8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088

C:\windows\system\risoz\_setup.exe
"C:\windows\system\risoz\_setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ .bat""
2⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat
Filesize
173B

MD5
ff8f4f4ad7e7ba959da4ed7df60f77db

SHA1
4d4b0fec2b01ea871e1d1325f1b8d2c4af2f627e

SHA256
d785d08bd2bcd75355d04bac079d04a5cea0496cf52983267803d426e22b75fc

SHA512
e65b5ecd7c63312150eb3b13b1b482703dac09ad83bb9fde315ae8967bee723615372cda4c55a97d52dac698f6a026a94d63701e81d77d487380ffc91060c4c5

Download Submit
C:\Windows\System\risoz\_setup.exe
Filesize
261KB

MD5
f0a5b8914ed3e63d74ba1095437e9d7d

SHA1
4b30cc79a9ebd632adfbc94f6b0e3760f781efec

SHA256
6f5b873c6fc11c81a49effdae9bb3fdff8e810873014f36c45023b8fc0a296ae

SHA512
a1e0fc934efa915f75c7ff498431c5b6bbba1dc5005a28a2d446cd9325e67b620fbf6880dbedf9aee9f3f5de308fbaa86a03885993587b1b5e62a5f5dd001434

Download Submit
C:\windows\system\risoz\_setup.exe
Filesize
261KB

MD5
f0a5b8914ed3e63d74ba1095437e9d7d

SHA1
4b30cc79a9ebd632adfbc94f6b0e3760f781efec

SHA256
6f5b873c6fc11c81a49effdae9bb3fdff8e810873014f36c45023b8fc0a296ae

SHA512
a1e0fc934efa915f75c7ff498431c5b6bbba1dc5005a28a2d446cd9325e67b620fbf6880dbedf9aee9f3f5de308fbaa86a03885993587b1b5e62a5f5dd001434

Download Submit
C:\windows\system\risoz\config.ini
Filesize
26B

MD5
6068361993d71c7a5d27889465558d36

SHA1
5bc981bcab8c1d90382257e09d61cc1aeef911d5

SHA256
ecca8e3d812234401d1860efc7dcc80cd0d13acf363702e090e439f72a3937dc

SHA512
4551f37bb4217bfc96f6447a86c437b0ec97febe131b897490b3476c7f36e1c79bfca0c7c92aec156368cf8e27cb7b1c1c09247c70666aba4d22a3455711a6a1

Download Submit
memory/3128-134-0x0000000000000000-mapping.dmp

Download
memory/4088-132-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/4088-133-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/4088-140-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/4984-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads