Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe
Resource
win10v2004-20220812-en
General
-
Target
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe
-
Size
464KB
-
MD5
1e114977ed8b4d54c0d98c4c9393df23
-
SHA1
ab86b9f2b64f6c6993b69f1c9bf7278eced61e70
-
SHA256
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9
-
SHA512
b8d36f288f49ec4ed7defdad9ad6b02867470029595e720d4b5ffff3a8985a9e89c6e9722a6db7a7dad46a134a53c0457224bf9c288f8ce7bb655c9c2d21fe55
-
SSDEEP
6144:gsbaKMUtcUeGBa7J0Cn+RzI3fiUkCSPpARl/KtIfEuX7K0kzmOCe4FFBN9EP:gyaKVOUzBY0Cn91SPkoIMSKk1e45+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Lettera.exepid process 2272 Lettera.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Lettera.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Lettera.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemEngine = "C:\\Caches\\MShelp.exe" Lettera.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Lettera.exepid process 2272 Lettera.exe 2272 Lettera.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exedescription pid process target process PID 2080 wrote to memory of 2272 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe Lettera.exe PID 2080 wrote to memory of 2272 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe Lettera.exe PID 2080 wrote to memory of 2272 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe Lettera.exe PID 2080 wrote to memory of 2304 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe notepad.exe PID 2080 wrote to memory of 2304 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe notepad.exe PID 2080 wrote to memory of 2304 2080 28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe"C:\Users\Admin\AppData\Local\Temp\28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" lettera.txt2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exeFilesize
20KB
MD593ac5955ad3c8f4d244764d130c2ece9
SHA1de6d3ba861829684039facb6aa311ceb0e24cf67
SHA2561d0e1272856103a19b5bd45f288e25cf5a3767d998956fba683ab4ffcea88284
SHA512725997e5085a1f28ea468754d61ebbd109636c772e035d56757377ef5ec2577fbbe7e6da9561ff6a4be8cfc5391bf1b3da7eba9159dc228bfb4d190c0f7577f3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exeFilesize
20KB
MD593ac5955ad3c8f4d244764d130c2ece9
SHA1de6d3ba861829684039facb6aa311ceb0e24cf67
SHA2561d0e1272856103a19b5bd45f288e25cf5a3767d998956fba683ab4ffcea88284
SHA512725997e5085a1f28ea468754d61ebbd109636c772e035d56757377ef5ec2577fbbe7e6da9561ff6a4be8cfc5391bf1b3da7eba9159dc228bfb4d190c0f7577f3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MShelp.exeFilesize
44KB
MD5eaafec0d3050536bb518780471a99c1b
SHA151209809e0cba80e254a49c33e97e0163899e460
SHA256db1a09ea4113e6d6710cf6674c6613b94e4f804dd1ad28f7b0e4fea6a8e84f06
SHA5124bb04fe0c459f9f899975cec9cb732603d0e0da82cbc65de5a6e040a0644456ec22082a294c8ea37f04e1f4f21cc320116ecd487e24e15c782e82a9e86c8816f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\csrss (64 bit).exeFilesize
817KB
MD57f2588848040af6f4d8c43f6b6fb34c8
SHA13ac628d3383a362fe7c6ece81eeae96a9736970e
SHA256426efa3e5951ef5bbaf8ea397a9754f776bd68201a1cfa18dfa247ae142d9e77
SHA512e38a219e25d7cbc56ad4b3ebbe6cfc4ef8afcf66deb6394750f3644f7947540d57204e6512a923df2bffe8983107293982c452696fdedf76064b0e067974272c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lettera.txtFilesize
1KB
MD52b10ef1679073e8f9c9b0fafed742ce8
SHA1070e76a25e26e8d03e46bb026725e95193df8fa4
SHA256a53bb2c253b256d8df5b7c29e5f5ff909230d1d6d6f30296d1996ce628949204
SHA512ffbadd14ad7ac88821a8562aedd1150417e382d71d3b822e72cd2cd916a55badfa526575d598821309bafc814f7c4e9c8861e1adc9e7018603ceda8c887dc8af
-
memory/2272-132-0x0000000000000000-mapping.dmp
-
memory/2304-139-0x0000000000000000-mapping.dmp