Analysis
-
max time kernel
150s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe
Resource
win10v2004-20221111-en
General
-
Target
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe
-
Size
1.7MB
-
MD5
f19f9579b42168080761e723996b5e98
-
SHA1
921c97bcade3afe6955514073a69485dadfe774a
-
SHA256
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420
-
SHA512
9d8d18a279832b79b45dcffb8f733f820ba114d2a523054f222951e2c35e85a091e7cc936affec23358e87d4896f0096f711c0e3ce13df6b209de289e69bc072
-
SSDEEP
49152:Kyx4ql56OSVbug9D3+IsL9OI7xWHQ3aw2uwzUBTRv:KyxDl56OKyg9aIk9JtKYZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3768 rundll32.exe 2448 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.execontrol.exerundll32.exeRunDll32.exedescription pid process target process PID 3548 wrote to memory of 3012 3548 e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe control.exe PID 3548 wrote to memory of 3012 3548 e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe control.exe PID 3548 wrote to memory of 3012 3548 e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe control.exe PID 3012 wrote to memory of 3768 3012 control.exe rundll32.exe PID 3012 wrote to memory of 3768 3012 control.exe rundll32.exe PID 3012 wrote to memory of 3768 3012 control.exe rundll32.exe PID 3768 wrote to memory of 4300 3768 rundll32.exe RunDll32.exe PID 3768 wrote to memory of 4300 3768 rundll32.exe RunDll32.exe PID 4300 wrote to memory of 2448 4300 RunDll32.exe rundll32.exe PID 4300 wrote to memory of 2448 4300 RunDll32.exe rundll32.exe PID 4300 wrote to memory of 2448 4300 RunDll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe"C:\Users\Admin\AppData\Local\Temp\e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",5⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPLFilesize
2.0MB
MD50dbe5c1809c2ce45db5eed5c434c00d6
SHA1094f1be837a77c56a99e6aa0a76c6812b87ec6d3
SHA256c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8
SHA51207b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599
-
C:\Users\Admin\AppData\Local\Temp\pwyNZ2.cplFilesize
2.0MB
MD50dbe5c1809c2ce45db5eed5c434c00d6
SHA1094f1be837a77c56a99e6aa0a76c6812b87ec6d3
SHA256c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8
SHA51207b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599
-
C:\Users\Admin\AppData\Local\Temp\pwyNZ2.cplFilesize
2.0MB
MD50dbe5c1809c2ce45db5eed5c434c00d6
SHA1094f1be837a77c56a99e6aa0a76c6812b87ec6d3
SHA256c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8
SHA51207b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599
-
memory/2448-151-0x0000000003790000-0x00000000038BE000-memory.dmpFilesize
1.2MB
-
memory/2448-148-0x0000000003990000-0x0000000003A44000-memory.dmpFilesize
720KB
-
memory/2448-147-0x00000000038C0000-0x0000000003988000-memory.dmpFilesize
800KB
-
memory/2448-146-0x0000000003790000-0x00000000038BE000-memory.dmpFilesize
1.2MB
-
memory/2448-145-0x00000000034C0000-0x0000000003659000-memory.dmpFilesize
1.6MB
-
memory/2448-143-0x0000000000000000-mapping.dmp
-
memory/3012-132-0x0000000000000000-mapping.dmp
-
memory/3768-137-0x0000000002F50000-0x000000000307E000-memory.dmpFilesize
1.2MB
-
memory/3768-139-0x0000000003150000-0x0000000003204000-memory.dmpFilesize
720KB
-
memory/3768-138-0x0000000003080000-0x0000000003148000-memory.dmpFilesize
800KB
-
memory/3768-136-0x0000000002C80000-0x0000000002E19000-memory.dmpFilesize
1.6MB
-
memory/3768-133-0x0000000000000000-mapping.dmp
-
memory/3768-152-0x0000000002F50000-0x000000000307E000-memory.dmpFilesize
1.2MB
-
memory/4300-142-0x0000000000000000-mapping.dmp