Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
Resource
win10v2004-20220812-en
General
-
Target
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
-
Size
32KB
-
MD5
f40c293ff3d6915adad554926d785982
-
SHA1
7d040fcdce1f46d2ad2405f3d28019489624f7dc
-
SHA256
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd
-
SHA512
2f7b303418e36635bd0d0103a2fa52cb81a83680734114ac46df968acec2a9efebf8f3f6c347630328415d68da077c0175fad51e51bf0cf02bd3b5ac52919fde
-
SSDEEP
384:zB1jprsW8cCCpKlOIEgKv427jOpBLnzQr6D6GpCwKVw5Dnwo:zB1dswKldrKvhCVQGRCwFD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pxbyz.exepxbyz.exepid process 4884 pxbyz.exe 4928 pxbyz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exepxbyz.exedescription pid process target process PID 4084 set thread context of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4884 set thread context of 4928 4884 pxbyz.exe pxbyz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exef1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exepxbyz.exedescription pid process target process PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 4084 wrote to memory of 1636 4084 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe PID 1636 wrote to memory of 4884 1636 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe pxbyz.exe PID 1636 wrote to memory of 4884 1636 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe pxbyz.exe PID 1636 wrote to memory of 4884 1636 f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe PID 4884 wrote to memory of 4928 4884 pxbyz.exe pxbyz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD555e4949d2a94470f94da5373c30b8481
SHA1395850029a4e411e06df26060a9a75dee2430833
SHA256965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9
SHA512cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD555e4949d2a94470f94da5373c30b8481
SHA1395850029a4e411e06df26060a9a75dee2430833
SHA256965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9
SHA512cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD555e4949d2a94470f94da5373c30b8481
SHA1395850029a4e411e06df26060a9a75dee2430833
SHA256965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9
SHA512cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e
-
memory/1636-133-0x0000000000000000-mapping.dmp
-
memory/1636-134-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1636-136-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/4084-132-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4084-137-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4884-138-0x0000000000000000-mapping.dmp
-
memory/4884-145-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4928-141-0x0000000000000000-mapping.dmp
-
memory/4928-146-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB