0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1

Analysis

max time kernel
170s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe
Size

1.7MB
MD5

fdd172f932a6c370b293ddba5a94012a
SHA1

dad544044b1832d9ed499b40a4b08e6f9b993d11
SHA256

0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1
SHA512

f8405e9428ec0fdce37c61dc208947a3a28e8953b3f1eae6e20deb95d7e38d3e7e5aba715cd0d378fb6613e356c00fcb82ed50a82253e9d83cbdec3fabe24977
SSDEEP

49152:YlmSaFP8BVDk1jbGhXm0psRX1y3CAlsM3:YluPKkjihXm0IXQyAB3

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

app.exedesktops.exeBnd_160_82_2014117_1433.exeirn.exeirn.tmpirn.tmphm.exe

pid process

4560 app.exe
1692 desktops.exe
2168 Bnd_160_82_2014117_1433.exe
3688 irn.exe
3984 irn.tmp
840 irn.tmp
4248 hm.exe

pid	process
4560	app.exe
1692	desktops.exe
2168	Bnd_160_82_2014117_1433.exe
3688	irn.exe
3984	irn.tmp
840	irn.tmp
4248	hm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exeapp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	app.exe

Drops startup file 1 IoCs

Processes:

desktops.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktops.lnk desktops.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ipinfo.io
59 ipinfo.io
63 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Bnd_160_82_2014117_1433.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Bnd_160_82_2014117_1433.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1048 3688 WerFault.exe irn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktops.lnk	desktops.exe

flow	ioc
44	ipinfo.io
59	ipinfo.io
63	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Bnd_160_82_2014117_1433.exe

pid	pid_target	process	target process
1048	3688	WerFault.exe	irn.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe	nsis_installer_2

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Bnd_160_82_2014117_1433.exe

pid process

2168 Bnd_160_82_2014117_1433.exe

pid	process
2168	Bnd_160_82_2014117_1433.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exeapp.exeirn.exeirn.tmpmsedge.exe

description	pid	process	target process
PID 3012 wrote to memory of 4560	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	app.exe
PID 3012 wrote to memory of 4560	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	app.exe
PID 3012 wrote to memory of 4560	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	app.exe
PID 4560 wrote to memory of 1692	4560	app.exe	desktops.exe
PID 4560 wrote to memory of 1692	4560	app.exe	desktops.exe
PID 3012 wrote to memory of 2168	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	Bnd_160_82_2014117_1433.exe
PID 3012 wrote to memory of 2168	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	Bnd_160_82_2014117_1433.exe
PID 3012 wrote to memory of 2168	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	Bnd_160_82_2014117_1433.exe
PID 3012 wrote to memory of 3688	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	irn.exe
PID 3012 wrote to memory of 3688	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	irn.exe
PID 3012 wrote to memory of 3688	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	irn.exe
PID 3688 wrote to memory of 3984	3688	irn.exe	irn.tmp
PID 3688 wrote to memory of 3984	3688	irn.exe	irn.tmp
PID 3688 wrote to memory of 3984	3688	irn.exe	irn.tmp
PID 3984 wrote to memory of 840	3984	irn.tmp	irn.tmp
PID 3984 wrote to memory of 840	3984	irn.tmp	irn.tmp
PID 3984 wrote to memory of 840	3984	irn.tmp	irn.tmp
PID 3012 wrote to memory of 4248	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	hm.exe
PID 3012 wrote to memory of 4248	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	hm.exe
PID 3012 wrote to memory of 4248	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	hm.exe
PID 3012 wrote to memory of 3540	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	msedge.exe
PID 3012 wrote to memory of 3540	3012	0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe	msedge.exe
PID 3540 wrote to memory of 240	3540	msedge.exe	msedge.exe
PID 3540 wrote to memory of 240	3540	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe
"C:\Users\Admin\AppData\Local\Temp\0606454f187c37eb4caed5fd234031c5466849dcc37a08707ce2c94b366878d1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe" /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4560

C:\Desktops Alert\desktops.exe
"C:\Desktops Alert\desktops.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:1692

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2014117_1433.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2014117_1433.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\is-9BPKJ.tmp\irn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9BPKJ.tmp\irn.tmp" /SL5="$E0148,706656,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\is-SFCQ2.tmp\irn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SFCQ2.tmp\irn.tmp" /SL5="$A01CC,57124,54272,C:\Users\Admin\AppData\Local\Temp\is-9BPKJ.tmp\irn.tmp" /SL5="$E0148,706656,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe"
4⤵
- Executes dropped EXE
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 628
3⤵
- Program crash
PID:1048

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe"
2⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://goo.gl/w1N6gC
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7ffba83246f8,0x7ffba8324708,0x7ffba8324718
3⤵
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3688 -ip 3688
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Desktops Alert\Interop.IWshRuntimeLibrary.dll

Filesize
48KB

MD5
7921c108860b9fa0375c0432d77fdc2b

SHA1
fe054a9127ad7c67dda63221f80f61c8d6df4e09

SHA256
72e4b3deee39696c9e3c4f024d005580aaa4d3a02d9c332969446c8b847f6b70

SHA512
df0c25c57ad5216374f1cf56e0fcfea895a2d99e4814174f9756f432c2349aae9c9dd290c98d4d5c254b6c25293905c2eddd4f7181f78da243cefa5ce7660d20

Download Submit
C:\Desktops Alert\desktops.exe

Filesize
8KB

MD5
3c10bc957e2b87a2ed84105fe21ce4c6

SHA1
b76476264f1e092386194c9df5f614c5d23d9d24

SHA256
bee5a12871eda7e038188677c523f27134e738f46f29bce23f7705973008b003

SHA512
64d3c15f1ee4db9a29b488765e7831679595c72d4541c801595258dc504f53d6e7bed6de7a0529c93bd7694d3a8f22b55b3af402cccae84401cacf9a3ba41968

Download Submit
C:\Desktops Alert\desktops.exe

Filesize
8KB

MD5
3c10bc957e2b87a2ed84105fe21ce4c6

SHA1
b76476264f1e092386194c9df5f614c5d23d9d24

SHA256
bee5a12871eda7e038188677c523f27134e738f46f29bce23f7705973008b003

SHA512
64d3c15f1ee4db9a29b488765e7831679595c72d4541c801595258dc504f53d6e7bed6de7a0529c93bd7694d3a8f22b55b3af402cccae84401cacf9a3ba41968

Download Submit
C:\Desktops Alert\desktops.exe.config

Filesize
282B

MD5
50232b6a0961d7828c666592fa293df7

SHA1
c92267f34c307dcabcae094b3ca6a60545fc9fd2

SHA256
54332ffb669fc867f0a46ecbe10edbb72d3e07222ceb080f3f647281bfd3867b

SHA512
6b5bafe476d45f86b1354ba808e7b1c577782d18bdd8afd9999746670902503ee6a1bbd7dece815832c626b9540927fcdf6bc54b08e3224e62a95c22b6952387

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2014117_1433.exe

Filesize
480KB

MD5
2eb182d496e44f3af6b7f03b06ef0f11

SHA1
620e044435208577e6866fc604093208886d3675

SHA256
963c318b963888424d6ad01e363f2e264a8514dc0b1badb20550a0048be8dfbd

SHA512
a80aeb73a99bc7999d4d532a24e5f99e9058aba30fc40e1ccaa221cec363a0e3de8008c2d48cb2db86dab21ae51e132a3198421131af3d8f525292f2ef389fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2014117_1433.exe

Filesize
480KB

MD5
2eb182d496e44f3af6b7f03b06ef0f11

SHA1
620e044435208577e6866fc604093208886d3675

SHA256
963c318b963888424d6ad01e363f2e264a8514dc0b1badb20550a0048be8dfbd

SHA512
a80aeb73a99bc7999d4d532a24e5f99e9058aba30fc40e1ccaa221cec363a0e3de8008c2d48cb2db86dab21ae51e132a3198421131af3d8f525292f2ef389fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe

Filesize
424KB

MD5
bc2c1882ced77dac0a28ed65bcff46c6

SHA1
b39fdde26e63078b78ddc259bcdb3ded93fd2c53

SHA256
14db0584f8d81a75e08175d6727ee3670fc53800f9f5790bc94454e647e28309

SHA512
87c2722fe8371d60c844a7d3bc6d4641d749d1ded72fce119ebc8cdb2126d9e05299440e9665ff97d3b655b311b929070954952a10a33de7c9aca13232417728

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe

Filesize
424KB

MD5
bc2c1882ced77dac0a28ed65bcff46c6

SHA1
b39fdde26e63078b78ddc259bcdb3ded93fd2c53

SHA256
14db0584f8d81a75e08175d6727ee3670fc53800f9f5790bc94454e647e28309

SHA512
87c2722fe8371d60c844a7d3bc6d4641d749d1ded72fce119ebc8cdb2126d9e05299440e9665ff97d3b655b311b929070954952a10a33de7c9aca13232417728

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe

Filesize
33KB

MD5
26edf4f14fd379d160051e63f6f9c9a0

SHA1
924d33e0d76e71b3e080839600fff69fd9b13e5b

SHA256
fdf68c7c1a1bce4e24658902720c702ce31eb41a03b13a28f03d036f061587bb

SHA512
59c3576813dba52a72614534cb9c94d8d5ca576724f40a31011e8bc778d9f9f2dd689e5b8fe1199158eea335ee0ad68020ddc5ea4a19a990d34d00e703d9d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hm.exe

Filesize
33KB

MD5
26edf4f14fd379d160051e63f6f9c9a0

SHA1
924d33e0d76e71b3e080839600fff69fd9b13e5b

SHA256
fdf68c7c1a1bce4e24658902720c702ce31eb41a03b13a28f03d036f061587bb

SHA512
59c3576813dba52a72614534cb9c94d8d5ca576724f40a31011e8bc778d9f9f2dd689e5b8fe1199158eea335ee0ad68020ddc5ea4a19a990d34d00e703d9d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe

Filesize
967KB

MD5
2d207ddbd1f15d25175174e8c9488665

SHA1
aa824dd087e356760b63d2c49ce4411050c2842f

SHA256
d679cc1f29a7400a54c23eafbc3d989762471172592a5a4a8010597c3d631530

SHA512
25b71567d5502bc55af66bdcdcad09740289452fec70dfb7fd5d4eb5fd5ab2ca405d0a23adf648df61bc5cc2014faabd2fb726a1087d41c2a86f734ed8e9303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\irn.exe

Filesize
967KB

MD5
2d207ddbd1f15d25175174e8c9488665

SHA1
aa824dd087e356760b63d2c49ce4411050c2842f

SHA256
d679cc1f29a7400a54c23eafbc3d989762471172592a5a4a8010597c3d631530

SHA512
25b71567d5502bc55af66bdcdcad09740289452fec70dfb7fd5d4eb5fd5ab2ca405d0a23adf648df61bc5cc2014faabd2fb726a1087d41c2a86f734ed8e9303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9BPKJ.tmp\irn.tmp

Filesize
293KB

MD5
5757a17b71e8c4f084ee7d10c00c54cc

SHA1
83fe1211d90cf9385183d7588c2927025c9eefd9

SHA256
3147f02ac89f9a816e5774436dcd22595614dd31b7c139a8b87c7bf47d96afed

SHA512
d7336d664afd9f437b78fb2646f5be47021fc8aafeaa1a04f71b7ae2ce709cacb9d5c9f4b79123535159d74996f502a05aa59c357e82f5c94060da2e6b4e3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9BPKJ.tmp\irn.tmp

Filesize
293KB

MD5
5757a17b71e8c4f084ee7d10c00c54cc

SHA1
83fe1211d90cf9385183d7588c2927025c9eefd9

SHA256
3147f02ac89f9a816e5774436dcd22595614dd31b7c139a8b87c7bf47d96afed

SHA512
d7336d664afd9f437b78fb2646f5be47021fc8aafeaa1a04f71b7ae2ce709cacb9d5c9f4b79123535159d74996f502a05aa59c357e82f5c94060da2e6b4e3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SFCQ2.tmp\irn.tmp

Filesize
692KB

MD5
3c9f7c6410e28ac343d63cae632db71b

SHA1
4d2861c9e86641078853d77b7516fcd62cfd85f4

SHA256
b3254dc71f89cf442d833f84af7fd98429c20f9bc0ce51a08a8417de6d21940e

SHA512
2e6801efc67102973b4c1e5113dab872eebcdb962ea38ee06c309476616ccd661799198e84d5d6569c6c567e00315aa282585a7a141b5bad040debfae4dfd4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SFCQ2.tmp\irn.tmp

Filesize
692KB

MD5
3c9f7c6410e28ac343d63cae632db71b

SHA1
4d2861c9e86641078853d77b7516fcd62cfd85f4

SHA256
b3254dc71f89cf442d833f84af7fd98429c20f9bc0ce51a08a8417de6d21940e

SHA512
2e6801efc67102973b4c1e5113dab872eebcdb962ea38ee06c309476616ccd661799198e84d5d6569c6c567e00315aa282585a7a141b5bad040debfae4dfd4eb

Download Submit
memory/240-165-0x0000000000000000-mapping.dmp

Download
memory/840-156-0x0000000000000000-mapping.dmp

Download
memory/1692-142-0x000000001B880000-0x000000001C2B6000-memory.dmp

Filesize
10.2MB

Download
memory/1692-135-0x0000000000000000-mapping.dmp

Download
memory/2168-139-0x0000000000000000-mapping.dmp

Download
memory/3540-164-0x0000000000000000-mapping.dmp

Download
memory/3688-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3688-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3688-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3688-144-0x0000000000000000-mapping.dmp

Download
memory/3984-155-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3984-153-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3984-150-0x0000000000000000-mapping.dmp

Download
memory/3984-159-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4248-161-0x0000000000000000-mapping.dmp

Download
memory/4560-132-0x0000000000000000-mapping.dmp

Download