Analysis
-
max time kernel
190s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 12:35
Static task
static1
Behavioral task
behavioral1
Sample
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe
Resource
win10v2004-20221111-en
General
-
Target
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe
-
Size
46KB
-
MD5
c9a3deb22ed82d4b04ace98903eddeac
-
SHA1
4ff6670f31a5d0c8d48edb3394abdae6511c8aa6
-
SHA256
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
-
SHA512
601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
SSDEEP
768:Vvfdi1f8dlZ0gEdb1fIViMJX9dilR4UO/dd5pJ2SeHaZYA0HaU0TZ+H4gzc94uNZ:9diV8PJEdblIwMJX9dibKpJaHaQ6U0Tx
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
pzfbrgqx.exeqzlbm0r.exepzfbrgqx.exeqzlbm0r.exepid process 1408 pzfbrgqx.exe 3112 qzlbm0r.exe 996 pzfbrgqx.exe 1572 qzlbm0r.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qzlbm0r.exepzfbrgqx.exeff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exepzfbrgqx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation qzlbm0r.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation pzfbrgqx.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation pzfbrgqx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pzfbrgqx.exepzfbrgqx.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QzlBM0RFQjIyRUQ4MkQ0Qj = "C:\\ProgramData\\pzfbrgqx.exe" pzfbrgqx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QzlBM0RFQjIyRUQ4MkQ0Qj = "C:\\ProgramData\\pzfbrgqx.exe" pzfbrgqx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exepzfbrgqx.exeqzlbm0r.exedw20.exepzfbrgqx.exeqzlbm0r.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier pzfbrgqx.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 qzlbm0r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier qzlbm0r.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier pzfbrgqx.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 qzlbm0r.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 pzfbrgqx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier qzlbm0r.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 pzfbrgqx.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qzlbm0r.exepid process 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe 3112 qzlbm0r.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exepzfbrgqx.exeqzlbm0r.exedw20.exepzfbrgqx.exeqzlbm0r.exedescription pid process Token: SeDebugPrivilege 4892 ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe Token: SeDebugPrivilege 1408 pzfbrgqx.exe Token: SeDebugPrivilege 3112 qzlbm0r.exe Token: SeBackupPrivilege 4640 dw20.exe Token: SeBackupPrivilege 4640 dw20.exe Token: SeDebugPrivilege 996 pzfbrgqx.exe Token: SeDebugPrivilege 1572 qzlbm0r.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exepzfbrgqx.exeqzlbm0r.exepzfbrgqx.exedescription pid process target process PID 4892 wrote to memory of 1408 4892 ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe pzfbrgqx.exe PID 4892 wrote to memory of 1408 4892 ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe pzfbrgqx.exe PID 1408 wrote to memory of 3112 1408 pzfbrgqx.exe qzlbm0r.exe PID 1408 wrote to memory of 3112 1408 pzfbrgqx.exe qzlbm0r.exe PID 1408 wrote to memory of 4640 1408 pzfbrgqx.exe dw20.exe PID 1408 wrote to memory of 4640 1408 pzfbrgqx.exe dw20.exe PID 3112 wrote to memory of 996 3112 qzlbm0r.exe pzfbrgqx.exe PID 3112 wrote to memory of 996 3112 qzlbm0r.exe pzfbrgqx.exe PID 996 wrote to memory of 1572 996 pzfbrgqx.exe qzlbm0r.exe PID 996 wrote to memory of 1572 996 pzfbrgqx.exe qzlbm0r.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe"C:\Users\Admin\AppData\Local\Temp\ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\ProgramData\pzfbrgqx.exe"C:\ProgramData\pzfbrgqx.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\qzlbm0r.exe"C:\Users\Admin\qzlbm0r.exe" C:\ProgramData\pzfbrgqx.exe 14083⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\ProgramData\pzfbrgqx.exe"C:\ProgramData\pzfbrgqx.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\qzlbm0r.exe"C:\Users\Admin\qzlbm0r.exe" C:\ProgramData\pzfbrgqx.exe 9965⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29163⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\pzfbrgqx.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
C:\ProgramData\pzfbrgqx.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
C:\ProgramData\pzfbrgqx.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
C:\Users\Admin\qzlbm0r.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
C:\Users\Admin\qzlbm0r.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
C:\Users\Admin\qzlbm0r.exeFilesize
46KB
MD5c9a3deb22ed82d4b04ace98903eddeac
SHA14ff6670f31a5d0c8d48edb3394abdae6511c8aa6
SHA256ff0ff899def71088c850a1050e94d962ec2452d849e43273c46b103a8a839388
SHA512601f015a161cab74973bd16c696c84c2aa8066a8d85203c036a193bd2382f9d4b0de3603a2278b510808a83aa5c2e8003c64762ad3f6fd484a20218aa97c471e
-
memory/996-142-0x0000000000000000-mapping.dmp
-
memory/996-144-0x00007FF80FF20000-0x00007FF810956000-memory.dmpFilesize
10.2MB
-
memory/1408-136-0x00007FF80FF20000-0x00007FF810956000-memory.dmpFilesize
10.2MB
-
memory/1408-133-0x0000000000000000-mapping.dmp
-
memory/1572-145-0x0000000000000000-mapping.dmp
-
memory/1572-147-0x00007FF80FF20000-0x00007FF810956000-memory.dmpFilesize
10.2MB
-
memory/3112-140-0x00007FF80FF20000-0x00007FF810956000-memory.dmpFilesize
10.2MB
-
memory/3112-137-0x0000000000000000-mapping.dmp
-
memory/4640-141-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x00007FF80FF20000-0x00007FF810956000-memory.dmpFilesize
10.2MB