c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

Analysis

max time kernel
165s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
Size

116KB
MD5

5d5267d68e5210c35cd6fd82cba6ab22
SHA1

b27b5b222bd9dcb471ecfdde387b995de1e1fb5b
SHA256

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8
SHA512

468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34
SSDEEP

3072:2HejYMZvf/wfPv4B3JNVlLeqEDdHKgVx:psawf34BrrenDdqgVx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
5052	iptables.exe
3464	iptablex.exe
4792	iptablex.exe
5008	iptables.exe
4072	iptables.exe
4092	iptablex.exe
2316	iptables.exe
1412	iptables.exe
4316	iptablex.exe
1580	iptablex.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\iptablex.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	iptablex.exe
File created	\??\c:\windows\SysWOW64\iptables.exe	iptables.exe
File created	\??\c:\windows\SysWOW64\iptables.exe	iptables.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	iptablex.exe
File created	\??\c:\windows\SysWOW64\iptables.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
File opened for modification	\??\c:\windows\SysWOW64\iptables.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iptablex.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iptables.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iptablex.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iptables.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iptables.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
3464	iptablex.exe
3464	iptablex.exe
5052	iptables.exe
5052	iptables.exe
4792	iptablex.exe
5008	iptables.exe
5008	iptables.exe
4792	iptablex.exe
4072	iptables.exe
4072	iptables.exe
4092	iptablex.exe
4092	iptablex.exe
2316	iptables.exe
2316	iptables.exe
1412	iptables.exe
1412	iptables.exe
4316	iptablex.exe
4316	iptablex.exe
1580	iptablex.exe
1580	iptablex.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4056	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	79
PID 440 wrote to memory of 4056	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	79
PID 440 wrote to memory of 4056	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	79
PID 5052 wrote to memory of 5008	5052	iptables.exe	83
PID 5052 wrote to memory of 5008	5052	iptables.exe	83
PID 5052 wrote to memory of 5008	5052	iptables.exe	83
PID 3464 wrote to memory of 4792	3464	iptablex.exe	84
PID 3464 wrote to memory of 4792	3464	iptablex.exe	84
PID 3464 wrote to memory of 4792	3464	iptablex.exe	84
PID 4072 wrote to memory of 2316	4072	iptables.exe	87
PID 4072 wrote to memory of 2316	4072	iptables.exe	87
PID 4072 wrote to memory of 2316	4072	iptables.exe	87
PID 440 wrote to memory of 1412	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	88
PID 440 wrote to memory of 1412	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	88
PID 440 wrote to memory of 1412	440	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	88
PID 4092 wrote to memory of 4316	4092	iptablex.exe	89
PID 4092 wrote to memory of 4316	4092	iptablex.exe	89
PID 4092 wrote to memory of 4316	4092	iptablex.exe	89
PID 4056 wrote to memory of 1580	4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	90
PID 4056 wrote to memory of 1580	4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	90
PID 4056 wrote to memory of 1580	4056	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	90

C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
"C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
  "C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\windows\SysWOW64\iptablex.exe
    "C:\windows\system32\iptablex.exe" rcdelc:\users\admin\appdata\local\temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exebcfwred.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
- C:\windows\SysWOW64\iptables.exe
  "C:\windows\system32\iptables.exe" rcdelc:\users\admin\appdata\local\temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1412

\??\c:\windows\SysWOW64\iptables.exe
c:\windows\SysWOW64\iptables.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\windows\SysWOW64\iptables.exe
  "C:\windows\system32\iptables.exe" rcdelc:\windows\syswow64\iptables.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

\??\c:\windows\SysWOW64\iptablex.exe
c:\windows\SysWOW64\iptablex.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464
- C:\windows\SysWOW64\iptablex.exe
  "C:\windows\system32\iptablex.exe" rcdelc:\windows\syswow64\iptablex.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

\??\c:\windows\SysWOW64\iptablex.exe
c:\windows\SysWOW64\iptablex.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092
- C:\windows\SysWOW64\iptablex.exe
  "C:\windows\system32\iptablex.exe" rcdelc:\windows\syswow64\iptablex.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

\??\c:\windows\SysWOW64\iptables.exe
c:\windows\SysWOW64\iptables.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072
- C:\windows\SysWOW64\iptables.exe
  "C:\windows\system32\iptables.exe" rcdelc:\windows\syswow64\iptables.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\??\c:\windows\SysWOW64\iptables.exe

Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\??\c:\windows\SysWOW64\iptablex.exe

Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit