Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
23-11-2022 09:41
General
-
Target
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe
-
Size
685KB
-
MD5
6dcb4ce3ae5aedc4876e9896073c77a5
-
SHA1
f9153a229d69934d1ec0320f10ef7029b5f38132
-
SHA256
bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
-
SHA512
722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
SSDEEP
12288:C7jy0J9opbkjyhoHU7ye3Dbfrpfe9HMbIPvHSIVlvee15t+F1D036:C7bJowjyho07zTjtm9R3HTL5t4q6
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7158839.txt
http://zt6bycgnjvatzzvi.onion
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe"C:\Users\Admin\AppData\Local\Temp\bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe"C:\Users\Admin\AppData\Local\Temp\bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525.exe"2⤵
- Checks computer location settings
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E240CDE-D8E9-4D8D-AA81-4C82559D24A1} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1208 -s 12081⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
685KB
MD56dcb4ce3ae5aedc4876e9896073c77a5
SHA1f9153a229d69934d1ec0320f10ef7029b5f38132
SHA256bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
SHA512722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
Filesize
685KB
MD56dcb4ce3ae5aedc4876e9896073c77a5
SHA1f9153a229d69934d1ec0320f10ef7029b5f38132
SHA256bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
SHA512722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
Filesize
685KB
MD56dcb4ce3ae5aedc4876e9896073c77a5
SHA1f9153a229d69934d1ec0320f10ef7029b5f38132
SHA256bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
SHA512722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
Filesize
654B
MD5a341952dc5a325acaf381ed7db17b96b
SHA1dc3901e6102fbf722b8cb245560f2f42579d554e
SHA2563613b73ca9214bd684370c8f3f7286468f7e59e28df621be2485447855ea3714
SHA512d65fd7d4e14d6245b895f6b5dc48b736c32064a13af41cccea6439080ad47dfdbb61a578616e72df5d0825843e26b2343fdbeaf93772f1d9c62cf0253d6529d7
-
Filesize
685KB
MD56dcb4ce3ae5aedc4876e9896073c77a5
SHA1f9153a229d69934d1ec0320f10ef7029b5f38132
SHA256bee867e70ba3d7b12de880b7c2cc1952c18e5487bc722cabaec83e73dc139525
SHA512722357524bd83dc3347a57deb0da06ea06f5ab2a206810e1e40210b035ad7e31d7ac80365ce244de45433e102539fb053990c78a7ac0356f5495b4b80b92f683
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
-
Filesize
668KB
-
Filesize
2.1MB
-
Filesize
668KB
-
Filesize
2.3MB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
5.7MB
-
-
Filesize
2.3MB