Analysis
-
max time kernel
167s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:44
Static task
static1
Behavioral task
behavioral1
Sample
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe
Resource
win10v2004-20221111-en
General
-
Target
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe
-
Size
346KB
-
MD5
8e5b11b4459592014296f9ab307004a6
-
SHA1
b0cd326c8389db2adeadd541cb21e1fbfb346c80
-
SHA256
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100
-
SHA512
a9cac4fbd5eb23fa15564bcfac2734171b4650d7bf8e9218e917e2f0168667a88f0538c21f75ce6057355ea825bdddafee62afc063503e18bf6f824dd50d5b16
-
SSDEEP
6144:jPL9R55VPkcn0QtPoNHMTMnUDHohJMJ/rTK/Va13YTJt2:rpRZPA06MTMUqddC2a
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
yysl.exeyysl.exeFB_D68A.tmp.exeFB_F473.tmp.exepid process 204 yysl.exe 4980 yysl.exe 4516 FB_D68A.tmp.exe 3340 FB_F473.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
yysl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation yysl.exe -
Drops startup file 1 IoCs
Processes:
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbb5s.vbs c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yysl.exedescription pid process target process PID 204 set thread context of 4980 204 yysl.exe yysl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
yysl.exepid process 204 yysl.exe 204 yysl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exeyysl.exeyysl.exedescription pid process target process PID 504 wrote to memory of 204 504 c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe yysl.exe PID 504 wrote to memory of 204 504 c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe yysl.exe PID 504 wrote to memory of 204 504 c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe yysl.exe PID 204 wrote to memory of 4980 204 yysl.exe yysl.exe PID 204 wrote to memory of 4980 204 yysl.exe yysl.exe PID 204 wrote to memory of 4980 204 yysl.exe yysl.exe PID 4980 wrote to memory of 4516 4980 yysl.exe FB_D68A.tmp.exe PID 4980 wrote to memory of 4516 4980 yysl.exe FB_D68A.tmp.exe PID 4980 wrote to memory of 4516 4980 yysl.exe FB_D68A.tmp.exe PID 4980 wrote to memory of 3340 4980 yysl.exe FB_F473.tmp.exe PID 4980 wrote to memory of 3340 4980 yysl.exe FB_F473.tmp.exe PID 4980 wrote to memory of 3340 4980 yysl.exe FB_F473.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe"C:\Users\Admin\AppData\Local\Temp\c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wrdr\yysl.exe"C:\Users\Admin\AppData\Roaming\wrdr\yysl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wrdr\yysl.exe"C:\Users\Admin\AppData\Roaming\wrdr\yysl.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_D68A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_D68A.tmp.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FB_F473.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_F473.tmp.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB_D68A.tmp.exeFilesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
C:\Users\Admin\AppData\Local\Temp\FB_D68A.tmp.exeFilesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
C:\Users\Admin\AppData\Local\Temp\FB_F473.tmp.exeFilesize
138KB
MD5c20a02e741f60444d5958b82ea1f9733
SHA1bbb9aa78eeb9ef412c1bd78ce44d328118b5706e
SHA256c89c7939f95bcf69c4d0be1eab980e232f7bce1d3ab4178c311bb25506e35084
SHA51248ea63d2e4b8f80a30ae4a52c6e3591bb37f5a6b2b0be8f1762d501d1c5a5ec7bc4bf9ac2944e758a6b97d69c8eadb5950c4de2070a644430fa628ccd4d96dbc
-
C:\Users\Admin\AppData\Local\Temp\FB_F473.tmp.exeFilesize
138KB
MD5c20a02e741f60444d5958b82ea1f9733
SHA1bbb9aa78eeb9ef412c1bd78ce44d328118b5706e
SHA256c89c7939f95bcf69c4d0be1eab980e232f7bce1d3ab4178c311bb25506e35084
SHA51248ea63d2e4b8f80a30ae4a52c6e3591bb37f5a6b2b0be8f1762d501d1c5a5ec7bc4bf9ac2944e758a6b97d69c8eadb5950c4de2070a644430fa628ccd4d96dbc
-
C:\Users\Admin\AppData\Roaming\wrdr\yysl.exeFilesize
346KB
MD58e5b11b4459592014296f9ab307004a6
SHA1b0cd326c8389db2adeadd541cb21e1fbfb346c80
SHA256c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100
SHA512a9cac4fbd5eb23fa15564bcfac2734171b4650d7bf8e9218e917e2f0168667a88f0538c21f75ce6057355ea825bdddafee62afc063503e18bf6f824dd50d5b16
-
C:\Users\Admin\AppData\Roaming\wrdr\yysl.exeFilesize
346KB
MD58e5b11b4459592014296f9ab307004a6
SHA1b0cd326c8389db2adeadd541cb21e1fbfb346c80
SHA256c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100
SHA512a9cac4fbd5eb23fa15564bcfac2734171b4650d7bf8e9218e917e2f0168667a88f0538c21f75ce6057355ea825bdddafee62afc063503e18bf6f824dd50d5b16
-
C:\Users\Admin\AppData\Roaming\wrdr\yysl.exeFilesize
346KB
MD58e5b11b4459592014296f9ab307004a6
SHA1b0cd326c8389db2adeadd541cb21e1fbfb346c80
SHA256c1cca7728dabf7ce7ecdfaecc8c54412207aff39490cd557b1db568c97437100
SHA512a9cac4fbd5eb23fa15564bcfac2734171b4650d7bf8e9218e917e2f0168667a88f0538c21f75ce6057355ea825bdddafee62afc063503e18bf6f824dd50d5b16
-
memory/204-132-0x0000000000000000-mapping.dmp
-
memory/3340-141-0x0000000000000000-mapping.dmp
-
memory/4516-138-0x0000000000000000-mapping.dmp
-
memory/4980-135-0x0000000000000000-mapping.dmp
-
memory/4980-137-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB