e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62

Analysis

max time kernel
46s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Size

547KB
MD5

1a52955778b43f45abab5e588a951128
SHA1

13038a9c180a6e6ec9825b11fba951757652864b
SHA256

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62
SHA512

4f3567458b31ac2df6583cf4ad750c0a9afb253a691abfcf0e6f782604b4023b5e72e2f6fdf7c36d15dd64cfd5b3eb4860c4180c9fbea41cbbaf22c60e9ddaab
SSDEEP

12288:DpU6okHHkvPirg1OP7uMYgLiryi9SOEYU0xiXc5XAaJ:1Upkn4rc7uMYgLirVp4gJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

file.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid process

1772 file.exe
4312 e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid	process
1772	file.exe
4312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid process

1372 rundll32.exe
4312 e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid	process
1372	rundll32.exe
4312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OtivParu = "regsvr32.exe \"C:\\ProgramData\\OtivParu\\OtivParu.dat\""	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{2B300127-054D-496F-A338-1B7C794505E2}	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{2B300127-054D-496F-A338-1B7C794505E2}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c653363326237363163653661313838653936363934383064353233363866336538363534393961303638313364393339633233616439313564343963626136322e65786500	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exefile.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 3512	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 816 wrote to memory of 3512	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 816 wrote to memory of 3512	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 816 wrote to memory of 1772	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 816 wrote to memory of 1772	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 816 wrote to memory of 1772	816	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 1772 wrote to memory of 1372	1772	file.exe	rundll32.exe
PID 1772 wrote to memory of 1372	1772	file.exe	rundll32.exe
PID 1772 wrote to memory of 1372	1772	file.exe	rundll32.exe
PID 1772 wrote to memory of 4420	1772	file.exe	cmd.exe
PID 1772 wrote to memory of 4420	1772	file.exe	cmd.exe
PID 1772 wrote to memory of 4420	1772	file.exe	cmd.exe
PID 3512 wrote to memory of 4312	3512	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 3512 wrote to memory of 4312	3512	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 3512 wrote to memory of 4312	3512	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
"C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_ms0473.bat" "C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
"C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:4312

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\53CB.dll",ADB_Release
3⤵
- Loads dropped DLL
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53CB.bat" "
3⤵
PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OtivParu\OtivParu.dat

Filesize
238KB

MD5
67eab80b318c4f072a4f7968f8cd88bf

SHA1
b7462c4528cc2d9d377afa5ca0aa233e67d22ee4

SHA256
8fefe4f401b63ccdd0160d41b421a4f09b3179d7bcfb84776d50ad1a9160b825

SHA512
8cd191ae3d28fedf97f3c266a70c5fb733c9564fd418849920246a6762ca0164e176d053a9004b5e999521c4c16ba756506d3f83f1fe4c32164ca4347738d722

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CB.bat

Filesize
139B

MD5
7c6c4df5f6e99ed4abfec3157ca23ca9

SHA1
d05dbffe2c9724638d3f05bbdace181acd0d1d82

SHA256
d108fa1794cfaf3905e1d8e4cb9326bb11cf3ee92f6dc95af5bc26e625fda76d

SHA512
5a565b5976ed58a8bcad1799a3f796f09c71c677f533d9e943f150b738c1b5a8124d9432f1f5eeb43b30ea7712c8b080f04dcc929b0f058406286f8fc9a75b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0473.bat

Filesize
226B

MD5
8fa9314f1347c013cb17337b3bb417c3

SHA1
bd8026f5fba7c6e8821f4c1910dbdbdcb4b61505

SHA256
f3ae06791a3502efc16a6aab37426cc5b28e0f83b3043d18455346d673e043ed

SHA512
3f6d3cf46b5facd0ba4459ba016d21cda09b3cde6df2642bab1d70316be1b15009ee3597074eb090ec2ffbffed6773081a464b45ecf037aa6f60543dddfab93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr_5_inst.exe.org

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/1372-138-0x0000000000000000-mapping.dmp

Download
memory/1772-133-0x0000000000000000-mapping.dmp

Download
memory/3512-132-0x0000000000000000-mapping.dmp

Download
memory/4312-141-0x0000000000000000-mapping.dmp

Download
memory/4312-146-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4312-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-150-0x0000000073FC0000-0x0000000073FF1000-memory.dmp

Filesize
196KB

Download
memory/4420-139-0x0000000000000000-mapping.dmp

Download