54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
Size

411KB
MD5

99531c75262ac625760046aeee2e74c0
SHA1

a08137520da666f982b2d47626f7485eafb15b8b
SHA256

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241
SHA512

f857e4dac8594aaf02b63b564954657900e83533aa6c897bb41f989cdb081bc5514fc595067122dccb6075a4425b3519c607e874dcee4e24cb8b220cca993283
SSDEEP

6144:XwXihP1dml/gzaOuMIUbb4WhiU2YOKS9VhCTLtk4iazR:IihP1dmv5WshYM9Vhapk4VN

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

Executes dropped EXE 2 IoCs

Processes:

tmp.exenotepad .exe

pid process

2024 tmp.exe
2008 notepad .exe

pid	process
2024	tmp.exe
2008	notepad .exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

description	pid	process	target process
PID 3916 set thread context of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1300 2008 WerFault.exe notepad .exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2488 timeout.exe

pid	pid_target	process	target process
1300	2008	WerFault.exe	notepad .exe

pid	process
2488	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

pid	process
3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

description	pid	process
Token: SeDebugPrivilege	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
Token: 33	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
Token: SeIncBasePriorityPrivilege	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 3916 wrote to memory of 2448	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 2448	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 2448	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 2448 wrote to memory of 1132	2448	cmd.exe	wscript.exe
PID 2448 wrote to memory of 1132	2448	cmd.exe	wscript.exe
PID 2448 wrote to memory of 1132	2448	cmd.exe	wscript.exe
PID 1132 wrote to memory of 4928	1132	wscript.exe	cmd.exe
PID 1132 wrote to memory of 4928	1132	wscript.exe	cmd.exe
PID 1132 wrote to memory of 4928	1132	wscript.exe	cmd.exe
PID 3916 wrote to memory of 2024	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	tmp.exe
PID 3916 wrote to memory of 2024	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	tmp.exe
PID 3916 wrote to memory of 2024	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	tmp.exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 2008	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	notepad .exe
PID 3916 wrote to memory of 1748	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 1748	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 1748	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 1748 wrote to memory of 2488	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 2488	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 2488	1748	cmd.exe	timeout.exe
PID 3916 wrote to memory of 1712	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 1712	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe
PID 3916 wrote to memory of 1712	3916	54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe
"C:\Users\Admin\AppData\Local\Temp\54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 348
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\melt.bat
2⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2008 -ip 2008
1⤵
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
411KB

MD5
99531c75262ac625760046aeee2e74c0

SHA1
a08137520da666f982b2d47626f7485eafb15b8b

SHA256
54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241

SHA512
f857e4dac8594aaf02b63b564954657900e83533aa6c897bb41f989cdb081bc5514fc595067122dccb6075a4425b3519c607e874dcee4e24cb8b220cca993283

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
69B

MD5
c96a3b31fc4a115c977ce5d8a3256f4f

SHA1
8c71b0d75099af30ac1fe33266e3970b47ba716d

SHA256
a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

SHA512
f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
71B

MD5
068b098f8c807465a86da0256d8e22c7

SHA1
71f4205e5c884f829fc3f500cc4adf3828404a58

SHA256
1724823b6967f9d2931c3b55f09ee095a69ad8e13ae7b338ee22a5c56eeaf05d

SHA512
e9432cdebd7dff6f96aad870ea8e9713f618cadcfa720c0a10cd4d62b3f8d129d5efb1e170e6712afc23157d45f5e8c8f3bce80310a27d1e994e6e1af5314626

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt
Filesize
411KB

MD5
99531c75262ac625760046aeee2e74c0

SHA1
a08137520da666f982b2d47626f7485eafb15b8b

SHA256
54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241

SHA512
f857e4dac8594aaf02b63b564954657900e83533aa6c897bb41f989cdb081bc5514fc595067122dccb6075a4425b3519c607e874dcee4e24cb8b220cca993283

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat
Filesize
211B

MD5
fcea7e008224fa9f82bba83e3562baf0

SHA1
f8ccd10830a0e5e979099a022fb07019e2ac479e

SHA256
0d9caf1dc4c3317085c4fd81a56df506c99dacb883c341a2250d8ef9beffbdba

SHA512
5083a7b3500841b05c879151cde2dda997cf70fbe0dbec5b218dc5efe37084af976fcb67511c92fff21f6b0b5dafdc01f03b448b731db56e7f1f851017467304

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
6c4334315749e1de84fe9b0c0bd000c4

SHA1
2aecee71b5f1fe41435bb54af4e79a8207842c53

SHA256
336b5de87a7ab7ff1f91084929babf7f339dcf53ba53ec5d441f50cceefeebb8

SHA512
1dacff99af8ec42519034ae5a293bb75740ef51829fee31ebb7391d917951f3ef7804b3d0d20015e9312dfa5d3c06b898fb149466e86a9baa0d74f90e506185e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
6c4334315749e1de84fe9b0c0bd000c4

SHA1
2aecee71b5f1fe41435bb54af4e79a8207842c53

SHA256
336b5de87a7ab7ff1f91084929babf7f339dcf53ba53ec5d441f50cceefeebb8

SHA512
1dacff99af8ec42519034ae5a293bb75740ef51829fee31ebb7391d917951f3ef7804b3d0d20015e9312dfa5d3c06b898fb149466e86a9baa0d74f90e506185e

Download Submit
memory/1132-135-0x0000000000000000-mapping.dmp

Download
memory/1712-155-0x0000000000000000-mapping.dmp

Download
memory/1748-151-0x0000000000000000-mapping.dmp

Download
memory/2008-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2008-143-0x0000000000000000-mapping.dmp

Download
memory/2008-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-139-0x0000000000000000-mapping.dmp

Download
memory/2448-133-0x0000000000000000-mapping.dmp

Download
memory/2488-153-0x0000000000000000-mapping.dmp

Download
memory/3916-144-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3916-132-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3916-156-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4928-138-0x0000000000000000-mapping.dmp

Download