Analysis
-
max time kernel
190s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe
Resource
win10v2004-20220812-en
General
-
Target
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe
-
Size
159KB
-
MD5
cbe583b8f1e2623f3d84ca051ad9a285
-
SHA1
623d7c79cb1f3cea1740f2e556f546c99f0705b9
-
SHA256
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2
-
SHA512
b29bace87f535f6ffbe8c44ddaed22d51b511dcc09b4fb2b34b799e1e74b1d51d57050c23e0ce3a98aef46deda59714e0111f39c32dc890adfe98be0e9fd9f88
-
SSDEEP
3072:XK/kz6bycvuLIBs69/EeEDhpnM8nQ4aXRTM2WrVJzh/kPdeZbJIw87OAM:QiLIBvLCtJQvl7Gg+tIw87OAM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
zepvew.exepid process 2272 zepvew.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\zepvew.exe" e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe -
Drops file in System32 directory 2 IoCs
Processes:
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\zepvew.exe e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe File created C:\Windows\SysWOW64\zepvew.exe e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exedescription pid process target process PID 1532 wrote to memory of 4844 1532 e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe WScript.exe PID 1532 wrote to memory of 4844 1532 e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe WScript.exe PID 1532 wrote to memory of 4844 1532 e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe"C:\Users\Admin\AppData\Local\Temp\e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\8030.vbs"2⤵PID:4844
-
C:\Windows\SysWOW64\zepvew.exeC:\Windows\SysWOW64\zepvew.exe1⤵
- Executes dropped EXE
PID:2272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\8030.vbsFilesize
500B
MD51ae26ecbd232cbc67c60fc00ee38aa83
SHA15c545c2c9c3ad78bc85999c8d03c00a99f8f797c
SHA2563bd5aa4e03d7ed2c9ec364730b1dc29f5ef9e49f4d55314051e0c941f9b1fa81
SHA51202c3ca3f315c6cc8c0618001474487fc1a4aa969861bfee64c6f9200c416cd653cbfdd90dd3ff82d8cbc3443f8ef7b1d2c2bad4164f71c985eaacb4083fe9974
-
C:\Windows\SysWOW64\zepvew.exeFilesize
159KB
MD5cbe583b8f1e2623f3d84ca051ad9a285
SHA1623d7c79cb1f3cea1740f2e556f546c99f0705b9
SHA256e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2
SHA512b29bace87f535f6ffbe8c44ddaed22d51b511dcc09b4fb2b34b799e1e74b1d51d57050c23e0ce3a98aef46deda59714e0111f39c32dc890adfe98be0e9fd9f88
-
C:\Windows\SysWOW64\zepvew.exeFilesize
159KB
MD5cbe583b8f1e2623f3d84ca051ad9a285
SHA1623d7c79cb1f3cea1740f2e556f546c99f0705b9
SHA256e710a43d937a561ea012d4572d5e9f79eaa4da702646f78b29615acba8203be2
SHA512b29bace87f535f6ffbe8c44ddaed22d51b511dcc09b4fb2b34b799e1e74b1d51d57050c23e0ce3a98aef46deda59714e0111f39c32dc890adfe98be0e9fd9f88
-
memory/1532-133-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1532-137-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2272-136-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4844-138-0x0000000000000000-mapping.dmp