0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e

Analysis

max time kernel
168s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe
Size

15.7MB
MD5

2ca01a78d22e347e780037057fcb1252
SHA1

706d1f15c1275d7aa1322be64099ee1ef6bffe2b
SHA256

0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e
SHA512

5ce2a4ceed03ef565e880219c2dd2554f9d19878baacd9f71c3f87ab6c45e563a7afd883db1ae56030aea1b2f32c1e1a1deb073e707f2ae59dd7780d983d4cc5
SSDEEP

196608:BcCuika88MiXKKP1bMjDo89ub0bVveG7uTgu9h0FjWxWYDDP3ofXPGsF9tFQGW89:vADFeGyThyiPP3A/f9AGyVJSuk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Atc3.8.1469.exeAPN_ATU3_.exeAPN_ATU3_.exe

pid process

2504 Atc3.8.1469.exe
4448 APN_ATU3_.exe
3452 APN_ATU3_.exe

pid	process
2504	Atc3.8.1469.exe
4448	APN_ATU3_.exe
3452	APN_ATU3_.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe

Loads dropped DLL 5 IoCs

Processes:

Atc3.8.1469.exe

pid process

2504 Atc3.8.1469.exe
2504 Atc3.8.1469.exe
2504 Atc3.8.1469.exe
2504 Atc3.8.1469.exe
2504 Atc3.8.1469.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2504	Atc3.8.1469.exe
2504	Atc3.8.1469.exe
2504	Atc3.8.1469.exe
2504	Atc3.8.1469.exe
2504	Atc3.8.1469.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

APN_ATU3_.exe

pid process

4448 APN_ATU3_.exe
4448 APN_ATU3_.exe

pid	process
4448	APN_ATU3_.exe
4448	APN_ATU3_.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exeAtc3.8.1469.exeAPN_ATU3_.exeAPN_ATU3_.exe

pid	process
4304	0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe
2504	Atc3.8.1469.exe
4448	APN_ATU3_.exe
3452	APN_ATU3_.exe
4448	APN_ATU3_.exe
4448	APN_ATU3_.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exeAtc3.8.1469.exeAPN_ATU3_.exe

description	pid	process	target process
PID 4304 wrote to memory of 2504	4304	0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe	Atc3.8.1469.exe
PID 4304 wrote to memory of 2504	4304	0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe	Atc3.8.1469.exe
PID 4304 wrote to memory of 2504	4304	0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe	Atc3.8.1469.exe
PID 2504 wrote to memory of 4448	2504	Atc3.8.1469.exe	APN_ATU3_.exe
PID 2504 wrote to memory of 4448	2504	Atc3.8.1469.exe	APN_ATU3_.exe
PID 2504 wrote to memory of 4448	2504	Atc3.8.1469.exe	APN_ATU3_.exe
PID 4448 wrote to memory of 3452	4448	APN_ATU3_.exe	APN_ATU3_.exe
PID 4448 wrote to memory of 3452	4448	APN_ATU3_.exe	APN_ATU3_.exe
PID 4448 wrote to memory of 3452	4448	APN_ATU3_.exe	APN_ATU3_.exe

C:\Users\Admin\AppData\Local\Temp\0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe
"C:\Users\Admin\AppData\Local\Temp\0f73f17ceffd64b37bed57b30a71d66501178ade971e96269adf55e780e3bf0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe
  "C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe
    "C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe" -pid ATU3 -b
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe
      "C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe" -pid ATU3 -b -se -ppd 4448
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe

Filesize
11.2MB

MD5
ec7ae3ea0411b0c1257ab7d277c18700

SHA1
eeaf55760887e3d9ce3a6fc1a5925cdf386b58ce

SHA256
ad255881bc59d13a4b2e9492c1ab8de4b617aba8a2f9a990f2a6fd4b1c1ee6bd

SHA512
3ca6cc95c99be70667ebcb6198af160a85b04bb4038892efa5503b2911cf3026aacef0ee7e7962489ede15dc59a2fe456a36f8f005960aec0a779598edd63f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\000553A4\Atc3.8.1469.exe

Filesize
11.2MB

MD5
ec7ae3ea0411b0c1257ab7d277c18700

SHA1
eeaf55760887e3d9ce3a6fc1a5925cdf386b58ce

SHA256
ad255881bc59d13a4b2e9492c1ab8de4b617aba8a2f9a990f2a6fd4b1c1ee6bd

SHA512
3ca6cc95c99be70667ebcb6198af160a85b04bb4038892efa5503b2911cf3026aacef0ee7e7962489ede15dc59a2fe456a36f8f005960aec0a779598edd63f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe

Filesize
1.2MB

MD5
a31a01638fa37fe1e2cb8fdaf1d31829

SHA1
23bd0a4165c3de90109dacd17c13337099846a9f

SHA256
d89cfd61a5377e3feb49da1f11e300a458823918fe63f95deb89c5779d418225

SHA512
5e9fe72f7fa8bb6468cd7f8d04aa69b301363a8f6136b94796a544c70b543dedd0bf05399e8c937febfed678be75d9d508f2a9c6f0bb8432f0ced5e5866e428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe

Filesize
1.2MB

MD5
a31a01638fa37fe1e2cb8fdaf1d31829

SHA1
23bd0a4165c3de90109dacd17c13337099846a9f

SHA256
d89cfd61a5377e3feb49da1f11e300a458823918fe63f95deb89c5779d418225

SHA512
5e9fe72f7fa8bb6468cd7f8d04aa69b301363a8f6136b94796a544c70b543dedd0bf05399e8c937febfed678be75d9d508f2a9c6f0bb8432f0ced5e5866e428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa544C.tmp-2\APN_ATU3_.exe

Filesize
1.2MB

MD5
a31a01638fa37fe1e2cb8fdaf1d31829

SHA1
23bd0a4165c3de90109dacd17c13337099846a9f

SHA256
d89cfd61a5377e3feb49da1f11e300a458823918fe63f95deb89c5779d418225

SHA512
5e9fe72f7fa8bb6468cd7f8d04aa69b301363a8f6136b94796a544c70b543dedd0bf05399e8c937febfed678be75d9d508f2a9c6f0bb8432f0ced5e5866e428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FF5.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FF5.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FF5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FF5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FF5.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/2504-132-0x0000000000000000-mapping.dmp

Download
memory/2504-145-0x0000000002221000-0x0000000002223000-memory.dmp

Filesize
8KB

Download
memory/3452-138-0x0000000000000000-mapping.dmp

Download
memory/4448-135-0x0000000000000000-mapping.dmp

Download