01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11

Analysis

max time kernel
153s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
Size

2.8MB
MD5

d37a5711036b4836680b1b7a4c5ed776
SHA1

bbf53ad54bff5dc0d467b1ae10eb86c733fa5a62
SHA256

01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11
SHA512

a05d194a606024d7b22e0b85ea865e71f4577f4e437d199a04e63212f7750382f682b83ef6fe892f2d243d7466cf89091b423da14a759b130922aac5badc7db8
SSDEEP

49152:SUic3k5iisbhVYGoXXHvzTa8Kril+QE0agTm/0Yi1EGllkdXeHDAjCpduZ7466gJ:SUiV5iLzoHv/lvl+QIga/0YiaWQeHDAd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 21 IoCs

Processes:

rundll32.exe

flow	pid	process
110	2372	rundll32.exe
116	2372	rundll32.exe
122	2372	rundll32.exe
126	2372	rundll32.exe
128	2372	rundll32.exe
130	2372	rundll32.exe
131	2372	rundll32.exe
132	2372	rundll32.exe
134	2372	rundll32.exe
135	2372	rundll32.exe
137	2372	rundll32.exe
139	2372	rundll32.exe
141	2372	rundll32.exe
147	2372	rundll32.exe
149	2372	rundll32.exe
151	2372	rundll32.exe
152	2372	rundll32.exe
153	2372	rundll32.exe
154	2372	rundll32.exe
155	2372	rundll32.exe
156	2372	rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

file.exe01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

pid process

1744 file.exe
4508 01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

pid	process
1744	file.exe
4508	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

pid process

2372 rundll32.exe
4508 01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2372	rundll32.exe
4508	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SurfAnonymousFree-2.4.0.8.Setup.exe.org	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\SurfAnonymousFree-2.4.0.8.Setup.exe.org	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exefile.execmd.exe

description	pid	process	target process
PID 4132 wrote to memory of 3868	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	cmd.exe
PID 4132 wrote to memory of 3868	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	cmd.exe
PID 4132 wrote to memory of 3868	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	cmd.exe
PID 4132 wrote to memory of 1744	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	file.exe
PID 4132 wrote to memory of 1744	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	file.exe
PID 4132 wrote to memory of 1744	4132	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe	file.exe
PID 1744 wrote to memory of 2372	1744	file.exe	rundll32.exe
PID 1744 wrote to memory of 2372	1744	file.exe	rundll32.exe
PID 1744 wrote to memory of 2372	1744	file.exe	rundll32.exe
PID 3868 wrote to memory of 4508	3868	cmd.exe	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
PID 3868 wrote to memory of 4508	3868	cmd.exe	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
PID 3868 wrote to memory of 4508	3868	cmd.exe	01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
PID 1744 wrote to memory of 3544	1744	file.exe	cmd.exe
PID 1744 wrote to memory of 3544	1744	file.exe	cmd.exe
PID 1744 wrote to memory of 3544	1744	file.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
"C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_ms0469.bat" "C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe
"C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\7BBC.dll",ADB_Release
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25B9.bat" "
3⤵
PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

Filesize
2.4MB

MD5
4150d25bf2c47cd3ed7a0d3e67f39a40

SHA1
37bd0df3068703afa9915e8477b6c4e22a52080d

SHA256
85b3a2291800b8f5c905cfa321f4ea1b54250f952fb774a11c24916fc4d80fb0

SHA512
1c2d2f78a50bd7311f41773a54f2c67a7a9080276887591ad62b8b0d026a1909c20f65be6ca09c6ea20dec8361493a94b487a019a417f61228fe519966d283ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\01ba32d9f7971cc4a9d4c54a8b292ba503a97aa9316aff60cb92fe830c043e11.exe

Filesize
2.4MB

MD5
4150d25bf2c47cd3ed7a0d3e67f39a40

SHA1
37bd0df3068703afa9915e8477b6c4e22a52080d

SHA256
85b3a2291800b8f5c905cfa321f4ea1b54250f952fb774a11c24916fc4d80fb0

SHA512
1c2d2f78a50bd7311f41773a54f2c67a7a9080276887591ad62b8b0d026a1909c20f65be6ca09c6ea20dec8361493a94b487a019a417f61228fe519966d283ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\25B9.bat

Filesize
139B

MD5
61dcfebf0bbffa0d053fcdbaf944b1de

SHA1
026ddacd88b63f261b42cac0d420fc09c423ea80

SHA256
244f004ec32da92d3c4282a20d92f4b7ab43ae5d42bbda0dbdd84664579577e4

SHA512
f6848e2bcba1b4867f3617207b444d57705354c1c17e0aa216cf16975e31f0312b030094029f4199591bbc5bdcf324d4e7a55f3169cb6c68c95099ab2f4ec0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BBC.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BBC.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\SurfAnonymousFree-2.4.0.8.Setup.exe.org

Filesize
2.4MB

MD5
4150d25bf2c47cd3ed7a0d3e67f39a40

SHA1
37bd0df3068703afa9915e8477b6c4e22a52080d

SHA256
85b3a2291800b8f5c905cfa321f4ea1b54250f952fb774a11c24916fc4d80fb0

SHA512
1c2d2f78a50bd7311f41773a54f2c67a7a9080276887591ad62b8b0d026a1909c20f65be6ca09c6ea20dec8361493a94b487a019a417f61228fe519966d283ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0469.bat

Filesize
270B

MD5
e183853960c090642ac533bdf0512f4e

SHA1
33fa2f0c3a71f7ae950904d1eb14079d3dabb3fa

SHA256
a9f7b909a3791dff8583f5ef2ca8e8c2982ece74928dc6d54d82e3610f532223

SHA512
01b1e666d61b24ede1f9a667a64be2f1268d62f88111e2fb4899e92d6edf029d057bef6e66578f7a6e3efee139736c33c5c6e1e6424223f061dfd38ddb3c7dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj77E1.tmp\InstallOptions.dll

Filesize
14KB

MD5
ec48a8204e1aed3d9a951cd92158cbe3

SHA1
0db29522e15448553b697b88b31a3d8392efd933

SHA256
3166399ed2ee296749aa412a4ec70807373b6349e9b94a7fcd97c3418f744f0f

SHA512
9b0ab63fbe4bf89ddf93e5fc6922cc95c0586e21dea945ce04065afd7957bd2472e34c909d356123346f62dee4c6d6077a0072810c91b61ad3df4c168cdb79d5

Download Submit
memory/1744-133-0x0000000000000000-mapping.dmp

Download
memory/2372-138-0x0000000000000000-mapping.dmp

Download
memory/3544-142-0x0000000000000000-mapping.dmp

Download
memory/3868-132-0x0000000000000000-mapping.dmp

Download
memory/4508-139-0x0000000000000000-mapping.dmp

Download