66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5

Analysis

max time kernel
143s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe
Size

1.9MB
MD5

0b5f7fc27138f6ce78a0ca01fdaa3cf7
SHA1

3f2446c63ea8e0af52f2ef6708895a737e898803
SHA256

66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5
SHA512

8abe573c135aacc66283f036a00fcae85b346eee8ebe3ba7ceb91ddaa81133513a6a7204c4ee70ddb5ab2fb72065e569cd8574bc651d754e1d5fc642c87e9e17
SSDEEP

49152:NuxCWG1xzYqTB+sw4kfiurtecqdIwH9jCze:Nugh6sw4kfLHqdIwdp

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001e2c7-134.dat	acprotect
behavioral2/files/0x000200000001e2c7-133.dat	acprotect
behavioral2/files/0x000200000001e2c7-140.dat	acprotect
behavioral2/files/0x000200000001e2c7-142.dat	acprotect
behavioral2/files/0x000200000001e2c7-141.dat	acprotect
behavioral2/files/0x000200000001e2c7-149.dat	acprotect
behavioral2/files/0x000200000001e2c7-148.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2304	tf0.exe
1120	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000021a94-138.dat	upx
behavioral2/files/0x0002000000021a94-139.dat	upx
behavioral2/memory/2304-143-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2304-152-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tf0.exe

Loads dropped DLL 6 IoCs

pid	Process
404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe
404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe
2304	tf0.exe
2304	tf0.exe
1120	setup.exe
1120	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2304	404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe	80
PID 404 wrote to memory of 2304	404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe	80
PID 404 wrote to memory of 2304	404	66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe	80
PID 2304 wrote to memory of 1120	2304	tf0.exe	83
PID 2304 wrote to memory of 1120	2304	tf0.exe	83
PID 2304 wrote to memory of 1120	2304	tf0.exe	83

C:\Users\Admin\AppData\Local\Temp\66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe
"C:\Users\Admin\AppData\Local\Temp\66cc921f27b67ccaa87e1376d09fd9d8177134938ebb9af7fa6de606b35f72a5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\tf0.exe
  C:\Users\Admin\AppData\Local\Temp\tf0.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log

Filesize
487B

MD5
185c7f193b6c65d5cad5aba1b14311cf

SHA1
0de9e92139d62717b082215fe45a371f65169737

SHA256
55c09c20152f93f351fcc8c449ace4ab63f2481f80d28960ed77f666f5fc5c84

SHA512
a41ec4a3fa80ecf44b4de5181943289862ed905a67b2fc800c54487ae4bf18703376a2b79c49cf7f83acce8d16cb9511173d9483f023d43ed83a3c78c1fcd7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
80KB

MD5
209fcdc6fae4382bc01c2955497fea96

SHA1
d46cba466da77ef026e22fe5a7e1ffdb60f7269d

SHA256
9fb49f2a1df66c158c0ead070089ba8e66d2fa3ede4277efdd4a5dd6eef4698a

SHA512
ef3d876a9c269b43ffb68f68dc96a76ffbac509a6cf94d68d9f20f60b0ec27fb9048f93aa294e62fa51a1f840eed20fba6bac90c9ed6cda7d919c47dee2b4375

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
80KB

MD5
209fcdc6fae4382bc01c2955497fea96

SHA1
d46cba466da77ef026e22fe5a7e1ffdb60f7269d

SHA256
9fb49f2a1df66c158c0ead070089ba8e66d2fa3ede4277efdd4a5dd6eef4698a

SHA512
ef3d876a9c269b43ffb68f68dc96a76ffbac509a6cf94d68d9f20f60b0ec27fb9048f93aa294e62fa51a1f840eed20fba6bac90c9ed6cda7d919c47dee2b4375

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwiE246.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf0.exe

Filesize
1.7MB

MD5
16c881e8798eded72930a80a248670c6

SHA1
09df51d1df50f3a25f39b2fdb314fb3b6488bebb

SHA256
8c27905bc530a62da1420b6a58f5a3c7461ff477cb9daed86fe5db43e4b39516

SHA512
31ad156adcf7957b79a33175c68d7e98abf2ef5340cbd0d859559c73a25db7bbbfc843d61eb9d88772e76590d97251f329b555167361d646a6327013a29e5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf0.exe

Filesize
1.7MB

MD5
16c881e8798eded72930a80a248670c6

SHA1
09df51d1df50f3a25f39b2fdb314fb3b6488bebb

SHA256
8c27905bc530a62da1420b6a58f5a3c7461ff477cb9daed86fe5db43e4b39516

SHA512
31ad156adcf7957b79a33175c68d7e98abf2ef5340cbd0d859559c73a25db7bbbfc843d61eb9d88772e76590d97251f329b555167361d646a6327013a29e5d64

Download Submit
memory/404-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/404-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/404-135-0x0000000002180000-0x00000000021F3000-memory.dmp

Filesize
460KB

Download
memory/404-153-0x0000000002180000-0x00000000021F3000-memory.dmp

Filesize
460KB

Download
memory/1120-151-0x0000000000540000-0x00000000005B3000-memory.dmp

Filesize
460KB

Download
memory/1120-155-0x0000000000540000-0x00000000005B3000-memory.dmp

Filesize
460KB

Download
memory/2304-144-0x0000000002610000-0x0000000002683000-memory.dmp

Filesize
460KB

Download
memory/2304-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2304-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2304-154-0x0000000002610000-0x0000000002683000-memory.dmp

Filesize
460KB

Download