daa8802270996f3d7b4835fd9fba42da054ad1a58403854c0f86b0666c631ac1

Analysis

max time kernel
291s
max time network
350s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114.exe
Size

928KB
MD5

1a3e186988e76f505a858eb30d77fa72
SHA1

c9a8f4429f588f2332b2e61bbdd67bbe7b9128c3
SHA256

d40a88423f47facdc46b66e7250866c8280b53733c1e366a077e8925aaa71953
SHA512

7fe896b8f7a1e5f091ed5f19a559adb5a29b4bc703cfa161adafe73cd71bdf18cf438c0c46bc96187288727dbc45e337fa8b14d1b80b7deef9a964df82d85ce3
SSDEEP

12288:x5OEfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1x2eU8iacTSUvpvEIF8BQa7zPPm6TW4:xIEfJYOWQb8uTSURpF2NYIkBqzzKuN7v

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3252	yiCrfu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral28/memory/3028-139-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral28/memory/3028-141-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral28/memory/3028-142-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral28/memory/3028-145-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	114.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3252 set thread context of 3028	3252	yiCrfu.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3252	yiCrfu.exe
3252	yiCrfu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3252	3280	114.exe	82
PID 3280 wrote to memory of 3252	3280	114.exe	82
PID 3280 wrote to memory of 3252	3280	114.exe	82
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84
PID 3252 wrote to memory of 3028	3252	yiCrfu.exe	84

C:\Users\Admin\AppData\Local\Temp\114.exe
"C:\Users\Admin\AppData\Local\Temp\114.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe" "mQtXRR"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\axMDDO.txt

Filesize
624KB

MD5
2b0448e32c7c95d988621668c12f9e96

SHA1
290109364637c40ddd59b6a2081bbbaff1550d90

SHA256
be8b0fd414c1f598d4d29f56eaf0e8728935886b39309409510c77379549951d

SHA512
062975a3ab0aff30fe97ca0d977ae27192edae70c5bbf4af1e0965cc2fc9eabb443b4531d0a6f93032c85de37c35a204fa9a2a8e0534d404b5703e8e90d1f960

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mQtXRR

Filesize
5KB

MD5
cff1b9c7ffd3ba5e74f28138c0645ce8

SHA1
c9521d677e6b3a89d2e16ef1603c76c9111a7a33

SHA256
cf0cac28051e5fc7c45e1a1512abb2ea757bc3b0a16be033de2ddd66f05d7d64

SHA512
06adcfa4671c1a7a49c556d999f0b70be02f19cb01d87cc73ebceda2c3d749268e7b9533e655d73b623043476409ef814435002e44981adb1be92cd6d5e474d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nfeiok.exe

Filesize
102KB

MD5
2acbda61d4267a5765695f12d090adfc

SHA1
c8f3388972ce8f759bb5e1102bf5ecf55a257b0c

SHA256
c54604d59b9ac39c092c282871ad3e3693b188208e379eabc5919902982800ce

SHA512
ea4067bc8fa1ff5ce6e5e2363217626bddfc8072fa0563ca2d679a4ca78c0c7509fa53c611604935976bfb2bfc44ff0b0370fb195364d622e494311fa03da160

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
memory/3028-139-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3028-141-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3028-142-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3028-145-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download