a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22

Analysis

max time kernel
427s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe
Size

2.9MB
MD5

7fc6aa097106475835371981ebc9bbe9
SHA1

a61bbe3807e76f47b3daf96d32f955b8a8d69583
SHA256

a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22
SHA512

e54d58ffe8bc1662ca5cd5f003ee21b1c2fef553a87c47922d023f9684b017829993a364390402f70bd0d8325e005f3759eebce95008e129729d924357754aa9
SSDEEP

49152:H9BfDauF3rt3g7GNBamkmmCwLtLV3viyKXtLGNWImaIhBVrNm4Z:HfTxzG7CwdV3vidSWHaI3RNm4Z

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

xvs32.exeeti32.exebot.exeeti32.exeirsetup.exe

pid process

4512 xvs32.exe
4892 eti32.exe
3372 bot.exe
4636 eti32.exe
2188 irsetup.exe

pid	process
4512	xvs32.exe
4892	eti32.exe
3372	bot.exe
4636	eti32.exe
2188	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral2/memory/2188-179-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exexvs32.exebot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	xvs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	bot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eti32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	eti32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eti32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eti32.exe"	eti32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eti32.exe

description pid process target process

PID 4892 set thread context of 4636 4892 eti32.exe eti32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eti32.exebot.exe

pid process

4892 eti32.exe
3372 bot.exe

description	pid	process	target process
PID 4892 set thread context of 4636	4892	eti32.exe	eti32.exe

pid	process
4892	eti32.exe
3372	bot.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exexvs32.exeeti32.exebot.exe

description	pid	process	target process
PID 3936 wrote to memory of 4512	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	xvs32.exe
PID 3936 wrote to memory of 4512	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	xvs32.exe
PID 3936 wrote to memory of 4512	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	xvs32.exe
PID 3936 wrote to memory of 3372	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	bot.exe
PID 3936 wrote to memory of 3372	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	bot.exe
PID 3936 wrote to memory of 3372	3936	a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe	bot.exe
PID 4512 wrote to memory of 4892	4512	xvs32.exe	eti32.exe
PID 4512 wrote to memory of 4892	4512	xvs32.exe	eti32.exe
PID 4512 wrote to memory of 4892	4512	xvs32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 4892 wrote to memory of 4636	4892	eti32.exe	eti32.exe
PID 3372 wrote to memory of 2188	3372	bot.exe	irsetup.exe
PID 3372 wrote to memory of 2188	3372	bot.exe	irsetup.exe
PID 3372 wrote to memory of 2188	3372	bot.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe
"C:\Users\Admin\AppData\Local\Temp\a7aa1aec2367ef76b6b54e3e2e75932ce581830538082a29edb5197f7ca49c22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\xvs32.exe
"C:\Users\Admin\AppData\Local\Temp\xvs32.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\eti32.exe
"C:\Users\Admin\AppData\Local\Temp\eti32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\eti32.exe
"C:\Users\Admin\AppData\Local\Temp\eti32.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4636

C:\Users\Admin\AppData\Local\Temp\bot.exe
"C:\Users\Admin\AppData\Local\Temp\bot.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1749498 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\bot.exe" "__IRCT:3" "__IRTSS:2621767" "__IRSID:S-1-5-21-2971393436-602173351-1645505021-1000"
3⤵
- Executes dropped EXE
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe
Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe
Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eti32.exe
Filesize
1.2MB

MD5
001a13c896eca4dfcf833c0fff6aae9a

SHA1
30420158e8c94e509a1de60a6fed1baf3072527f

SHA256
439cd84f230de8c97f8c8d212d6d5bc391a3606f21dd5dcfd200e6a0e3fdfb41

SHA512
a79eee3ecf8588e2331bf8b606b8a1bd180d1c730ffdb2becc11a86b3dee14c1c447f56c41ed5455656404bea4a93b9867c5753ebd85b8d1dc5b4d87e3cf8c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eti32.exe
Filesize
1.2MB

MD5
001a13c896eca4dfcf833c0fff6aae9a

SHA1
30420158e8c94e509a1de60a6fed1baf3072527f

SHA256
439cd84f230de8c97f8c8d212d6d5bc391a3606f21dd5dcfd200e6a0e3fdfb41

SHA512
a79eee3ecf8588e2331bf8b606b8a1bd180d1c730ffdb2becc11a86b3dee14c1c447f56c41ed5455656404bea4a93b9867c5753ebd85b8d1dc5b4d87e3cf8c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eti32.exe
Filesize
1.2MB

MD5
001a13c896eca4dfcf833c0fff6aae9a

SHA1
30420158e8c94e509a1de60a6fed1baf3072527f

SHA256
439cd84f230de8c97f8c8d212d6d5bc391a3606f21dd5dcfd200e6a0e3fdfb41

SHA512
a79eee3ecf8588e2331bf8b606b8a1bd180d1c730ffdb2becc11a86b3dee14c1c447f56c41ed5455656404bea4a93b9867c5753ebd85b8d1dc5b4d87e3cf8c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbi73.dll
Filesize
24B

MD5
171e657f9bde957f4e1e7d0bb768841e

SHA1
360bc693f88b06652292664e3ecca6a901e9868e

SHA256
44e416b18fc755c8af0d957da9f22026c76890716fcdf1c626fed0fb98dd09c2

SHA512
570401f36fb604a39dda135c67a3cc03c3e367058b5925241762a8b903bb1fa96a600f20e48ab26487cfda117d451fa25a922a06f060cef40955398f77125768

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvs32.exe
Filesize
566KB

MD5
0215b344b21e9da97911ef449849e488

SHA1
deef637d53a7c8d5dc852c125151dc0b2aecf688

SHA256
d66cfb5c09677a5d7ef781c7c09ef7d9cc35ae42db04f42d381bb1c895c52d0e

SHA512
a449057dae8af58465b21f3ec5bff03fecd14cc2a8c10d55fe265bae67ca56861e3ecd4159d870ff1f89852253db87e6aec7bb55d0e691dc570ea9a2589164bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvs32.exe
Filesize
566KB

MD5
0215b344b21e9da97911ef449849e488

SHA1
deef637d53a7c8d5dc852c125151dc0b2aecf688

SHA256
d66cfb5c09677a5d7ef781c7c09ef7d9cc35ae42db04f42d381bb1c895c52d0e

SHA512
a449057dae8af58465b21f3ec5bff03fecd14cc2a8c10d55fe265bae67ca56861e3ecd4159d870ff1f89852253db87e6aec7bb55d0e691dc570ea9a2589164bb

Download Submit
memory/2188-179-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2188-176-0x0000000000000000-mapping.dmp

Download
memory/3372-139-0x0000000000000000-mapping.dmp

Download
memory/4512-132-0x0000000000000000-mapping.dmp

Download
memory/4636-157-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-165-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-151-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-152-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-153-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-154-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-155-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-158-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-148-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-159-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-156-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-160-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-161-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-163-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-162-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-150-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-166-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-167-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-164-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-168-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-169-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-170-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-171-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-172-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-173-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-174-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-145-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-147-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4636-144-0x0000000000000000-mapping.dmp

Download
memory/4636-180-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4892-135-0x0000000000000000-mapping.dmp

Download
memory/4892-143-0x00000000021E0000-0x00000000021E6000-memory.dmp

Filesize
24KB

Download