91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac

Analysis

max time kernel
153s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
Size

287KB
MD5

53602ce749792a9f803274147a949d70
SHA1

cd819b4c4d1b31064b20799f7cea07a4ca0d4814
SHA256

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac
SHA512

d65a948942596a6e517614c91bb25d2d07d15488059bd21188bf4cc24aedb0743a982f4e8a5f47e72027080c98d1986639361591b5ad8fd17fd3f640356ef51c
SSDEEP

6144:4WOBZbwUfuYZx+GcrcBS2YOsVy/cMIkT7b7F1Yw7Y/WTdMI:41Bn2+cI1sU/cMf3bpCeY+TmI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

14.sfx.exe14.exe

pid process

1792 14.sfx.exe
1624 14.exe

pid	process
1792	14.sfx.exe
1624	14.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe14.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	14.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1308 1624 WerFault.exe 14.exe

pid	pid_target	process	target process
1308	1624	WerFault.exe	14.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe14.sfx.exe

description	pid	process	target process
PID 2676 wrote to memory of 1792	2676	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 2676 wrote to memory of 1792	2676	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 2676 wrote to memory of 1792	2676	91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe	14.sfx.exe
PID 1792 wrote to memory of 1624	1792	14.sfx.exe	14.exe
PID 1792 wrote to memory of 1624	1792	14.sfx.exe	14.exe
PID 1792 wrote to memory of 1624	1792	14.sfx.exe	14.exe

C:\Users\Admin\AppData\Local\Temp\91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe
"C:\Users\Admin\AppData\Local\Temp\91b96e54f51d78226671a570632756cd8fc3fd6323743c028bd6d2fcf20d80ac.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe"
3⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 228
4⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1624 -ip 1624
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.exe

Filesize
126KB

MD5
961b371f4649ad9238a384d606180578

SHA1
6df912593c06715e967f382e332aeacad4a2b6ed

SHA256
a6a7c41e005fcaf924b3a17fafd7bafac1a1100d25de9f5362549d22d4695710

SHA512
ef7d070d4333d723466e646457d50b3099a09a96dd5332e0c685384da00fca0bbc272676aecca7bbc0047dc997127c14e38b47cbb6b819d80f91e26794cb6bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe

Filesize
221KB

MD5
f23322e75e68b78e0a60b7e292ccfd3a

SHA1
ed9948390f3167d105f03c6061f5c9a1407606db

SHA256
6a6d5a427301016fb92af28483ba01d268f590972a60e74d2fc34b72a66435cf

SHA512
de3f46793b98c80309922cc6aa6c8f098710c52c82197c8b6f983a766f54aea6cb0dea8d22e048654e0407f2280128136f3fb9884059196ac0239a973d4c39c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\14.sfx.exe

Filesize
221KB

MD5
f23322e75e68b78e0a60b7e292ccfd3a

SHA1
ed9948390f3167d105f03c6061f5c9a1407606db

SHA256
6a6d5a427301016fb92af28483ba01d268f590972a60e74d2fc34b72a66435cf

SHA512
de3f46793b98c80309922cc6aa6c8f098710c52c82197c8b6f983a766f54aea6cb0dea8d22e048654e0407f2280128136f3fb9884059196ac0239a973d4c39c5

Download Submit
memory/1624-135-0x0000000000000000-mapping.dmp

Download
memory/1624-138-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1624-139-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1792-132-0x0000000000000000-mapping.dmp

Download