Analysis
-
max time kernel
170s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
Resource
win10v2004-20220812-en
General
-
Target
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
-
Size
1.5MB
-
MD5
453afe4eca786c6d47d03b54f07db3e5
-
SHA1
dca6c30a1e197d396832629910df2a21e04d3c93
-
SHA256
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224
-
SHA512
c29ee0ca4633a6cd1f8c66a89f9bf985d968ccbfe42aef442e38b225b5484f7ace462fffcf91d6abf65a0810f00636a4cd837161cfe3317f30c18057eb61005a
-
SSDEEP
24576:7hvedoghZOpAx6i/XSoxQX9NgTq3WaplDjAhnyY78EJ3jtk5WbQRizm5Enao1N:lezZOKxj6LX823WWlDUd5k5Wb6izuEnb
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
dnfDS.exeWinHelp32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys dnfDS.exe File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys WinHelp32.exe -
Executes dropped EXE 4 IoCs
Processes:
dnfZS.EXEdnfA002.exednfDS.exeWinHelp32.exepid process 5020 dnfZS.EXE 3876 dnfA002.exe 4272 dnfDS.exe 4300 WinHelp32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dnfDS.exe upx C:\Users\Admin\AppData\Local\Temp\dnfDS.exe upx C:\Windows\SysWOW64\WinHelp32.exe upx behavioral2/memory/4272-146-0x0000000000400000-0x000000000040E000-memory.dmp upx C:\Windows\SysWOW64\WinHelp32.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe -
Drops file in System32 directory 3 IoCs
Processes:
dnfDS.exeWinHelp32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinHelp32.exe dnfDS.exe File created C:\Windows\SysWOW64\WinHelp32.exe WinHelp32.exe File created C:\Windows\SysWOW64\WinHelp32.exe dnfDS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dnfDS.exeWinHelp32.exedescription pid process Token: SeIncBasePriorityPrivilege 4272 dnfDS.exe Token: SeIncBasePriorityPrivilege 4300 WinHelp32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exednfDS.exeWinHelp32.exedescription pid process target process PID 4440 wrote to memory of 5020 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfZS.EXE PID 4440 wrote to memory of 5020 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfZS.EXE PID 4440 wrote to memory of 5020 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfZS.EXE PID 4440 wrote to memory of 3876 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfA002.exe PID 4440 wrote to memory of 3876 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfA002.exe PID 4440 wrote to memory of 3876 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfA002.exe PID 4440 wrote to memory of 4272 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfDS.exe PID 4440 wrote to memory of 4272 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfDS.exe PID 4440 wrote to memory of 4272 4440 5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe dnfDS.exe PID 4272 wrote to memory of 4300 4272 dnfDS.exe WinHelp32.exe PID 4272 wrote to memory of 4300 4272 dnfDS.exe WinHelp32.exe PID 4272 wrote to memory of 4300 4272 dnfDS.exe WinHelp32.exe PID 4272 wrote to memory of 5024 4272 dnfDS.exe cmd.exe PID 4272 wrote to memory of 5024 4272 dnfDS.exe cmd.exe PID 4272 wrote to memory of 5024 4272 dnfDS.exe cmd.exe PID 4300 wrote to memory of 5068 4300 WinHelp32.exe cmd.exe PID 4300 wrote to memory of 5068 4300 WinHelp32.exe cmd.exe PID 4300 wrote to memory of 5068 4300 WinHelp32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe"C:\Users\Admin\AppData\Local\Temp\5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE"C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dnfA002.exe"C:\Users\Admin\AppData\Local\Temp\dnfA002.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dnfDS.exe"C:\Users\Admin\AppData\Local\Temp\dnfDS.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinHelp32.exe"C:\Windows\system32\WinHelp32.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WINHEL~1.EXE > nul4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\dnfDS.exe > nul3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dnfA002.exeFilesize
104KB
MD5d8cb66ac7938e593a4387ef7957a7536
SHA14b36e5d8884cee1e9cb7d3c0aa742fac9781a365
SHA2567b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5
SHA5128d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823
-
C:\Users\Admin\AppData\Local\Temp\dnfA002.exeFilesize
104KB
MD5d8cb66ac7938e593a4387ef7957a7536
SHA14b36e5d8884cee1e9cb7d3c0aa742fac9781a365
SHA2567b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5
SHA5128d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823
-
C:\Users\Admin\AppData\Local\Temp\dnfDS.exeFilesize
17KB
MD5b7027825eac239fe4425461d9977cdf1
SHA1d5791093a67b1ae47ffd0fd885a3d53d3f87bede
SHA256a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54
SHA51201bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5
-
C:\Users\Admin\AppData\Local\Temp\dnfDS.exeFilesize
17KB
MD5b7027825eac239fe4425461d9977cdf1
SHA1d5791093a67b1ae47ffd0fd885a3d53d3f87bede
SHA256a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54
SHA51201bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5
-
C:\Users\Admin\AppData\Local\Temp\dnfZS.EXEFilesize
1.3MB
MD54e6fa6153efdbb03d5b112a9f3c94331
SHA13ae461f627d1e1d4e308bc9e4d0598cb622584a4
SHA256df42f73857e3aae967f986a501ea01cec7009863785aaa08df0d2e12c30237e1
SHA512d4e0ad754c2639a38d0e19a0abd1221fb8b3b7ae7d63d8528eda8b3ad6e183b0132ec8e40397baca2ee019fe000a5dafd6d1121c651b081a855bdf9e247493bd
-
C:\Users\Admin\AppData\Local\Temp\dnfZS.EXEFilesize
1.3MB
MD54e6fa6153efdbb03d5b112a9f3c94331
SHA13ae461f627d1e1d4e308bc9e4d0598cb622584a4
SHA256df42f73857e3aae967f986a501ea01cec7009863785aaa08df0d2e12c30237e1
SHA512d4e0ad754c2639a38d0e19a0abd1221fb8b3b7ae7d63d8528eda8b3ad6e183b0132ec8e40397baca2ee019fe000a5dafd6d1121c651b081a855bdf9e247493bd
-
C:\Windows\SysWOW64\WinHelp32.exeFilesize
17KB
MD5b7027825eac239fe4425461d9977cdf1
SHA1d5791093a67b1ae47ffd0fd885a3d53d3f87bede
SHA256a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54
SHA51201bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5
-
C:\Windows\SysWOW64\WinHelp32.exeFilesize
17KB
MD5b7027825eac239fe4425461d9977cdf1
SHA1d5791093a67b1ae47ffd0fd885a3d53d3f87bede
SHA256a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54
SHA51201bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5
-
C:\Windows\SysWOW64\drivers\PCIDump.sysFilesize
4KB
MD5d058dd1757e857d2cf1afcadce95a521
SHA13d5563ce8e7a11110d238b25711a176a63bfb703
SHA256a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d
SHA512748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44
-
memory/3876-135-0x0000000000000000-mapping.dmp
-
memory/4272-138-0x0000000000000000-mapping.dmp
-
memory/4272-146-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4300-141-0x0000000000000000-mapping.dmp
-
memory/5020-132-0x0000000000000000-mapping.dmp
-
memory/5024-144-0x0000000000000000-mapping.dmp
-
memory/5068-147-0x0000000000000000-mapping.dmp