Analysis
-
max time kernel
190s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:28
Static task
static1
Behavioral task
behavioral1
Sample
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
Resource
win10v2004-20221111-en
General
-
Target
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
-
Size
887KB
-
MD5
5fa6538471d30c084c0257b80a8a4d5e
-
SHA1
756e754223382739063d7420807871d255bff53d
-
SHA256
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61
-
SHA512
8a3af2d7efd474bd95ae734ef73e323e04c7d2de9c461dee87574b07769ca046e2545a7393e3a7d54b18e6cd3635a8c59b052e162c63b091de1b7c20a9de636b
-
SSDEEP
12288:kYCr8rgkNxnHaFP78jdwOt/XbLAo0tjUe8NA3cNNC/Q5PXTcVgdv240dEeqYW9nM:NCYL7aJ8pwGXbD0tjBwCvI5YW9lm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ZfUrynRIW2S8QL3.exeZfUrynRIW2S8QL3.exepid process 5084 ZfUrynRIW2S8QL3.exe 1364 ZfUrynRIW2S8QL3.exe -
Processes:
resource yara_rule behavioral2/memory/1364-139-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1364-142-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1364-143-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1364-144-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1364-145-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1364-146-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe -
Loads dropped DLL 2 IoCs
Processes:
ZfUrynRIW2S8QL3.exepid process 5084 ZfUrynRIW2S8QL3.exe 5084 ZfUrynRIW2S8QL3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ZfUrynRIW2S8QL3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run ZfUrynRIW2S8QL3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Data.Msi\\AdobeUpdate.exe" ZfUrynRIW2S8QL3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ZfUrynRIW2S8QL3.exedescription pid process target process PID 5084 set thread context of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exeZfUrynRIW2S8QL3.exedescription pid process target process PID 2092 wrote to memory of 5084 2092 299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe ZfUrynRIW2S8QL3.exe PID 2092 wrote to memory of 5084 2092 299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe ZfUrynRIW2S8QL3.exe PID 2092 wrote to memory of 5084 2092 299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe PID 5084 wrote to memory of 1364 5084 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe"C:\Users\Admin\AppData\Local\Temp\299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exeFilesize
407KB
MD57d90310cd5a3e3616e33866581bd823c
SHA1dbe48e17aed85409ca0b859596bbcae8b7d32ee2
SHA256403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff
SHA5126d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exeFilesize
407KB
MD57d90310cd5a3e3616e33866581bd823c
SHA1dbe48e17aed85409ca0b859596bbcae8b7d32ee2
SHA256403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff
SHA5126d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exeFilesize
407KB
MD57d90310cd5a3e3616e33866581bd823c
SHA1dbe48e17aed85409ca0b859596bbcae8b7d32ee2
SHA256403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff
SHA5126d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c
-
C:\Users\Admin\AppData\Local\Temp\nsp3A0D.tmp\mosaicists.dllFilesize
57KB
MD59402f0826f3dcf69a4c29d5c9d1a18f6
SHA17c59a0d04907b2c536d3ad56bc4b29de21e4e10d
SHA2564316e64887991dff9473d33a84cb98357bec057bc97bf0d9df80f58420bc11fe
SHA512a1040398d586413a04fc332434934c92d8180ccb64001615d90bb8ca6765a00c240acbe2ed6e015550e12a1ccd6bfb9de5ff45246eb591e31b482f7a61263e0a
-
C:\Users\Admin\AppData\Local\Temp\nsp3A0D.tmp\mosaicists.dllFilesize
57KB
MD59402f0826f3dcf69a4c29d5c9d1a18f6
SHA17c59a0d04907b2c536d3ad56bc4b29de21e4e10d
SHA2564316e64887991dff9473d33a84cb98357bec057bc97bf0d9df80f58420bc11fe
SHA512a1040398d586413a04fc332434934c92d8180ccb64001615d90bb8ca6765a00c240acbe2ed6e015550e12a1ccd6bfb9de5ff45246eb591e31b482f7a61263e0a
-
memory/1364-142-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1364-138-0x0000000000000000-mapping.dmp
-
memory/1364-139-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1364-143-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1364-144-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1364-145-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1364-146-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/5084-137-0x00000000020F0000-0x0000000002107000-memory.dmpFilesize
92KB
-
memory/5084-132-0x0000000000000000-mapping.dmp