Analysis
-
max time kernel
165s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:34
Static task
static1
Behavioral task
behavioral1
Sample
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe
Resource
win10v2004-20220812-en
General
-
Target
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe
-
Size
3.3MB
-
MD5
4027e91cbc005b26ad9b0e16531b4d81
-
SHA1
8418fa6d9b1ed71cc89e1d251c0107fa8ddfa637
-
SHA256
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7
-
SHA512
0e267960c23f3ef5eae4a75b698dc21395e11831a08a82defe43926588edb899d840b9e5f1a5c824f412cc666bd62ccc894338e55231023568191c1f96bdcccf
-
SSDEEP
49152:E9BfDauF3rt3g7GNBamkmmCwLtLV3viyKXtLGNWImgPIsxmHCpswILEtLv:EfTxzG7CwdV3vidSWHFCmLwv
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
reg64.exebot.exetmm32.exeirsetup.exetmm32.exepid process 4944 reg64.exe 3900 bot.exe 4340 tmm32.exe 4440 irsetup.exe 4120 tmm32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx behavioral2/memory/4440-146-0x0000000000400000-0x00000000007CB000-memory.dmp upx behavioral2/memory/4440-157-0x0000000000400000-0x00000000007CB000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exereg64.exebot.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation reg64.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation bot.exe -
Loads dropped DLL 1 IoCs
Processes:
irsetup.exepid process 4440 irsetup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmm32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run tmm32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmm32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmm32.exe" tmm32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmm32.exedescription pid process target process PID 4340 set thread context of 4120 4340 tmm32.exe tmm32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmm32.exepid process 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe 4120 tmm32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
bot.exetmm32.exeirsetup.exepid process 3900 bot.exe 4340 tmm32.exe 4440 irsetup.exe 4440 irsetup.exe 4440 irsetup.exe 4440 irsetup.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exereg64.exebot.exetmm32.exedescription pid process target process PID 2064 wrote to memory of 4944 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe reg64.exe PID 2064 wrote to memory of 4944 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe reg64.exe PID 2064 wrote to memory of 4944 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe reg64.exe PID 2064 wrote to memory of 3900 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe bot.exe PID 2064 wrote to memory of 3900 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe bot.exe PID 2064 wrote to memory of 3900 2064 e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe bot.exe PID 4944 wrote to memory of 4340 4944 reg64.exe tmm32.exe PID 4944 wrote to memory of 4340 4944 reg64.exe tmm32.exe PID 4944 wrote to memory of 4340 4944 reg64.exe tmm32.exe PID 3900 wrote to memory of 4440 3900 bot.exe irsetup.exe PID 3900 wrote to memory of 4440 3900 bot.exe irsetup.exe PID 3900 wrote to memory of 4440 3900 bot.exe irsetup.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe PID 4340 wrote to memory of 4120 4340 tmm32.exe tmm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe"C:\Users\Admin\AppData\Local\Temp\e421782098917c59e29746d2a423e7ed177eda28f79d8d40859ba96de9f657f7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\reg64.exe"C:\Users\Admin\AppData\Local\Temp\reg64.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\tmm32.exe"C:\Users\Admin\AppData\Local\Temp\tmm32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\tmm32.exe"C:\Users\Admin\AppData\Local\Temp\tmm32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\bot.exe"C:\Users\Admin\AppData\Local\Temp\bot.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1749498 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\bot.exe" "__IRCT:3" "__IRTSS:2621767" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD51437d30476f86879af27aa3c4f5cf2ef
SHA1cea48b9a0103cb60738fe23c2927c02880d7d954
SHA2569a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783
SHA51241c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD51437d30476f86879af27aa3c4f5cf2ef
SHA1cea48b9a0103cb60738fe23c2927c02880d7d954
SHA2569a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783
SHA51241c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
318KB
MD5b5fc476c1bf08d5161346cc7dd4cb0ba
SHA1280fac9cf711d93c95f6b80ac97d89cf5853c096
SHA25612cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650
SHA51217fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
318KB
MD5b5fc476c1bf08d5161346cc7dd4cb0ba
SHA1280fac9cf711d93c95f6b80ac97d89cf5853c096
SHA25612cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650
SHA51217fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697
-
C:\Users\Admin\AppData\Local\Temp\bot.exeFilesize
2.5MB
MD52464b4bf0871616c933bfe12f5b2ab71
SHA1561f70e457cb22fcbe344e4605be3ee9f2ddd606
SHA25665bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75
SHA5123cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b
-
C:\Users\Admin\AppData\Local\Temp\bot.exeFilesize
2.5MB
MD52464b4bf0871616c933bfe12f5b2ab71
SHA1561f70e457cb22fcbe344e4605be3ee9f2ddd606
SHA25665bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75
SHA5123cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b
-
C:\Users\Admin\AppData\Local\Temp\reg64.exeFilesize
525KB
MD5513d7b7802c59b1da771eaf8603dee9d
SHA18b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a
SHA2562e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f
SHA512dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c
-
C:\Users\Admin\AppData\Local\Temp\reg64.exeFilesize
525KB
MD5513d7b7802c59b1da771eaf8603dee9d
SHA18b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a
SHA2562e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f
SHA512dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c
-
C:\Users\Admin\AppData\Local\Temp\tbi74.dllFilesize
24B
MD5708c2b4003fe7087c097b310c12682b5
SHA1fbb0d028cfb82c271f6114e165219fd9a8e9319a
SHA256eb5221bd93e012a2da8d8e63fd5efd04afd8114f1fd9c0842cde3220b4c49cdb
SHA512061b36583352fb72bf6a777f646f5d59671cdecb8cdf421011890c59dbc5976773288c6114b644ec36572db9f4ce4f19b668cc240ba52c14a9d50800e5e858f8
-
C:\Users\Admin\AppData\Local\Temp\tmm32.exeFilesize
620KB
MD5dcb0eecb3bce6375ccc4be7a020aa625
SHA17190ddeeb09857e19badf8a2d077fdbaad3a918b
SHA25674ede674fc2f9dec1aa9111e99f9b05317750c98a696bc0c816630deef05ec68
SHA512e37bb8d5f9a0f57bb1ea61e888c3dcafaf2849158f8e0645bb61b1f2fc1b22c66410da36ea49c51bb001970c08312a6a0bf5882863b3b076c376d8f50a5c7fed
-
C:\Users\Admin\AppData\Local\Temp\tmm32.exeFilesize
620KB
MD5dcb0eecb3bce6375ccc4be7a020aa625
SHA17190ddeeb09857e19badf8a2d077fdbaad3a918b
SHA25674ede674fc2f9dec1aa9111e99f9b05317750c98a696bc0c816630deef05ec68
SHA512e37bb8d5f9a0f57bb1ea61e888c3dcafaf2849158f8e0645bb61b1f2fc1b22c66410da36ea49c51bb001970c08312a6a0bf5882863b3b076c376d8f50a5c7fed
-
C:\Users\Admin\AppData\Local\Temp\tmm32.exeFilesize
620KB
MD5dcb0eecb3bce6375ccc4be7a020aa625
SHA17190ddeeb09857e19badf8a2d077fdbaad3a918b
SHA25674ede674fc2f9dec1aa9111e99f9b05317750c98a696bc0c816630deef05ec68
SHA512e37bb8d5f9a0f57bb1ea61e888c3dcafaf2849158f8e0645bb61b1f2fc1b22c66410da36ea49c51bb001970c08312a6a0bf5882863b3b076c376d8f50a5c7fed
-
memory/3900-135-0x0000000000000000-mapping.dmp
-
memory/4120-149-0x0000000000000000-mapping.dmp
-
memory/4120-150-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4120-153-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4120-154-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4120-155-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4120-158-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4340-138-0x0000000000000000-mapping.dmp
-
memory/4340-152-0x0000000002160000-0x0000000002166000-memory.dmpFilesize
24KB
-
memory/4440-146-0x0000000000400000-0x00000000007CB000-memory.dmpFilesize
3.8MB
-
memory/4440-141-0x0000000000000000-mapping.dmp
-
memory/4440-157-0x0000000000400000-0x00000000007CB000-memory.dmpFilesize
3.8MB
-
memory/4944-132-0x0000000000000000-mapping.dmp