Analysis
-
max time kernel
187s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
Resource
win10v2004-20221111-en
General
-
Target
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
-
Size
32KB
-
MD5
2cf817952883313ef3635569720dcbc0
-
SHA1
eac3afa4e4d0ee2d6a20e3ce8ae54463b7a23179
-
SHA256
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152
-
SHA512
bbe72539bdb123bd3337b626bbff6178014ae98556c022197701cbee0edf63a825235882cef4f64022fb4bf2cd6d74e6e4104eb2b4e799821a1fa1d39a8d7d74
-
SSDEEP
384:zB1jprsW8cCCpKlOIEgKv427jOpBLnzQr6D6GpCwKVw5Dnw:zB1dswKldrKvhCVQGRCwF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pxbyz.exepxbyz.exepid process 208 pxbyz.exe 1820 pxbyz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exedescription pid process target process PID 4912 set thread context of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 208 set thread context of 1820 208 pxbyz.exe pxbyz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exedescription pid process target process PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4912 wrote to memory of 4152 4912 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe PID 4152 wrote to memory of 208 4152 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe pxbyz.exe PID 4152 wrote to memory of 208 4152 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe pxbyz.exe PID 4152 wrote to memory of 208 4152 78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe PID 208 wrote to memory of 1820 208 pxbyz.exe pxbyz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD569226fabedfe385c37e17e8cad1baae9
SHA17f59758414e1940118fb80133edc993551563d17
SHA2562d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938
SHA51226435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD569226fabedfe385c37e17e8cad1baae9
SHA17f59758414e1940118fb80133edc993551563d17
SHA2562d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938
SHA51226435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51
-
C:\Users\Admin\AppData\Local\Temp\pxbyz.exeFilesize
32KB
MD569226fabedfe385c37e17e8cad1baae9
SHA17f59758414e1940118fb80133edc993551563d17
SHA2562d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938
SHA51226435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51
-
memory/208-137-0x0000000000000000-mapping.dmp
-
memory/208-143-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1820-140-0x0000000000000000-mapping.dmp
-
memory/1820-145-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/4152-132-0x0000000000000000-mapping.dmp
-
memory/4152-133-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/4152-136-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/4912-135-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB