ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
Size

1.4MB
MD5

f8fc67ad1fed360cda5746c9de049573
SHA1

51e11aedf211d696260e288af6156ec01eebb8b3
SHA256

ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9
SHA512

dc2651873ca0724be07f83ad9c3322d76fcd59adfd4e60610e555b7d4d21097a4f286923ee047b7688a194f0472c3925cee2f58452a2205eda54114e7007c74a
SSDEEP

24576:r3Xzo/rlzewzj2Zfn8FkOjWr7DaaUOzKKXUGEaL67grMRqJy93OT+6s8LvwtW1p8:bXMBewzj2pOkO6r7DanuKKkVaL69bp/5

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
1844	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
1672	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
4140	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
3428	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Loads dropped DLL 4 IoCs

pid	Process
4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
3428	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2864	4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	80
PID 4532 wrote to memory of 2864	4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	80
PID 4532 wrote to memory of 2864	4532	ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	80
PID 2864 wrote to memory of 1844	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	83
PID 2864 wrote to memory of 1844	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	83
PID 2864 wrote to memory of 1844	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	83
PID 1844 wrote to memory of 1672	1844	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	84
PID 1844 wrote to memory of 1672	1844	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	84
PID 1844 wrote to memory of 1672	1844	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	84
PID 2864 wrote to memory of 4140	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	85
PID 2864 wrote to memory of 4140	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	85
PID 2864 wrote to memory of 4140	2864	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	85
PID 4140 wrote to memory of 3428	4140	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	87
PID 4140 wrote to memory of 3428	4140	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	87
PID 4140 wrote to memory of 3428	4140	DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe	87

C:\Users\Admin\AppData\Local\Temp\ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
"C:\Users\Admin\AppData\Local\Temp\ae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
  "C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
    C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe/arg= /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\Install_3948\ins_geforce.exe /delay=2 /arg="/zdata=eyJkYXRhIjp7ImRhdGUiOiJGNVV6b2JyZGMxLDk5OTk5OTk5LTk5OTktNGIzYi1hNjJiLTQ3NmI4ZDA2MDE5YSwiLCJ1bnEiOiI5OTk5OTk5OS05OTk5LTRiM2ItYTYyYi00NzZiOGQwNjAxOWEifX0=" /timeout=0 /Mtx=Mtx19282
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
      C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\Install_3948\ins_geforce.exe /delay=2 /arg="/zdata=eyJkYXRhIjp7ImRhdGUiOiJGNVV6b2JyZGMxLDk5OTk5OTk5LTk5OTktNGIzYi1hNjJiLTQ3NmI4ZDA2MDE5YSwiLCJ1bnEiOiI5OTk5OTk5OS05OTk5LTRiM2ItYTYyYi00NzZiOGQwNjAxOWEifX0=" /timeout=0 /Mtx=Mtx19282
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
    C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe/arg= /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\Install_3948\ins_sense.exe /delay=2 /arg="/zdata=eyJkYXRhIjp7ImRhdGUiOiJGNVV6b2JyZGMxLDk5OTk5OTk5LTk5OTktNGIzYi1hNjJiLTQ3NmI4ZDA2MDE5YSwiLCJ1bnEiOiI5OTk5OTk5OS05OTk5LTRiM2ItYTYyYi00NzZiOGQwNjAxOWEifX0=" /timeout=0 /Mtx=Mtx19282
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe
      C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe /RUNPROCESS /fn=C:\Users\Admin\AppData\Local\Temp\Install_3948\ins_sense.exe /delay=2 /arg="/zdata=eyJkYXRhIjp7ImRhdGUiOiJGNVV6b2JyZGMxLDk5OTk5OTk5LTk5OTktNGIzYi1hNjJiLTQ3NmI4ZDA2MDE5YSwiLCJ1bnEiOiI5OTk5OTk5OS05OTk5LTRiM2ItYTYyYi00NzZiOGQwNjAxOWEifX0=" /timeout=0 /Mtx=Mtx19282
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install_3948\bxsdk32.dll

Filesize
920KB

MD5
05c47da12b0009bd98653f51287f7768

SHA1
7bc28dc52fd8a37fd74ad22b9072020535322bb5

SHA256
13807719fd3f4fde87b83bc1298a879cf7a5f49264b52c0a61735c2824e866bc

SHA512
9cc6ce9c2df8f6bb02187a25f91d53880c8041fe34acd943e3c536d8cd974150ae8acec7a2a472791bbeecb56bc019fb2800c75367011a38418036f00bbee894

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\D1989.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\D1989.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\DCae6f6f3d3ffd8d0008ca62f82b967c762453dd2dda29b4eee238aa9f37a5fee9.exe

Filesize
1.4MB

MD5
a8036aae3b67e920ee79ab59299ebc2a

SHA1
84d8e3202f9f250796a116d64568baec67999273

SHA256
3653a19e03f3742bb90039360b7f0baf3c91e2bbcd8f4ee91a58884cdf80eebb

SHA512
1b09eab739c7807644d51df6cdc60848f057fb2c63f217fa844a49bb740eddbbf63d86e434c5ef9a31793b1925965c521df303b3be0b278eeef51d1551454f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD364.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/4532-135-0x0000000002391000-0x0000000002394000-memory.dmp

Filesize
12KB

Download