Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe
Resource
win10v2004-20220901-en
General
-
Target
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe
-
Size
204KB
-
MD5
b704a8917354ea328439ab277695c988
-
SHA1
363b180aa6848b1769ee9727d0a567a4204d0dd8
-
SHA256
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772
-
SHA512
cc805e50fd2ebdb563f3d75897798062e6733ad62ce23ce21f966595cc4b64bfcbcf192939c2794f6d308c02e8f8bacdc375e0dea4a17fd176b6f49128b7d5af
-
SSDEEP
6144:4XHdo4n52x9lLdVa28IgSQ51VRx4hvd/:4X43VaR/nx2N
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalEPspsyUWCG.exechrome.exepid process 2236 LocalEPspsyUWCG.exe 2452 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exeLocalEPspsyUWCG.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation LocalEPspsyUWCG.exe -
Drops startup file 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
chrome.exepid process 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 2452 chrome.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exeLocalEPspsyUWCG.exechrome.exedescription pid process target process PID 2320 wrote to memory of 2236 2320 8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe LocalEPspsyUWCG.exe PID 2320 wrote to memory of 2236 2320 8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe LocalEPspsyUWCG.exe PID 2320 wrote to memory of 2236 2320 8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe LocalEPspsyUWCG.exe PID 2236 wrote to memory of 2452 2236 LocalEPspsyUWCG.exe chrome.exe PID 2236 wrote to memory of 2452 2236 LocalEPspsyUWCG.exe chrome.exe PID 2236 wrote to memory of 2452 2236 LocalEPspsyUWCG.exe chrome.exe PID 2452 wrote to memory of 5052 2452 chrome.exe netsh.exe PID 2452 wrote to memory of 5052 2452 chrome.exe netsh.exe PID 2452 wrote to memory of 5052 2452 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe"C:\Users\Admin\AppData\Local\Temp\8fe298ced61542daafc4b97db08c385d49bf4ead7e342775f5e7e59c75beb772.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalEPspsyUWCG.exe"C:\Users\Admin\AppData\LocalEPspsyUWCG.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalEPspsyUWCG.exeFilesize
43KB
MD5bc0b928a9140ae12a79516dc6d74e39b
SHA16b0f881cd0410ff45a463fca6b472f1e53de1413
SHA2568cd341d4b05a5998647d6ae6c9f87707701021300860b10af26241e2ed65f0bd
SHA512249f3607fb8a3156c741f21f159243174797bdd98a6db6a40790d177c26ff4846c66bbf64970008f1cd68afb769cc34c54fb3295fbdb18702248a91f08ec998d
-
C:\Users\Admin\AppData\LocalEPspsyUWCG.exeFilesize
43KB
MD5bc0b928a9140ae12a79516dc6d74e39b
SHA16b0f881cd0410ff45a463fca6b472f1e53de1413
SHA2568cd341d4b05a5998647d6ae6c9f87707701021300860b10af26241e2ed65f0bd
SHA512249f3607fb8a3156c741f21f159243174797bdd98a6db6a40790d177c26ff4846c66bbf64970008f1cd68afb769cc34c54fb3295fbdb18702248a91f08ec998d
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
43KB
MD5bc0b928a9140ae12a79516dc6d74e39b
SHA16b0f881cd0410ff45a463fca6b472f1e53de1413
SHA2568cd341d4b05a5998647d6ae6c9f87707701021300860b10af26241e2ed65f0bd
SHA512249f3607fb8a3156c741f21f159243174797bdd98a6db6a40790d177c26ff4846c66bbf64970008f1cd68afb769cc34c54fb3295fbdb18702248a91f08ec998d
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeFilesize
43KB
MD5bc0b928a9140ae12a79516dc6d74e39b
SHA16b0f881cd0410ff45a463fca6b472f1e53de1413
SHA2568cd341d4b05a5998647d6ae6c9f87707701021300860b10af26241e2ed65f0bd
SHA512249f3607fb8a3156c741f21f159243174797bdd98a6db6a40790d177c26ff4846c66bbf64970008f1cd68afb769cc34c54fb3295fbdb18702248a91f08ec998d
-
memory/2236-133-0x0000000000000000-mapping.dmp
-
memory/2236-136-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2236-140-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2320-132-0x00007FFBFD5F0000-0x00007FFBFE026000-memory.dmpFilesize
10.2MB
-
memory/2452-137-0x0000000000000000-mapping.dmp
-
memory/2452-141-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2452-143-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/5052-142-0x0000000000000000-mapping.dmp