e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 11:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe
Size

1.0MB
MD5

a04f93978a3f28e28fcfb19fbf2dac5a
SHA1

15c804e499f8ab46a377e50674c0e0df31282ce6
SHA256

e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c
SHA512

0330ad98907293a668cfed90c9f52df67b30c53bbe97dea0abd2d1e01e3baf98553e96c7794ef3bceeb42e285f78a15c2aa5d6d8b322f44ba12ab791b60a053b
SSDEEP

12288:j5ORcHoQppTTq1T/gS4IAQsCV6HW/2gmz3Kg4Di5LoUv1UpsSRwKIg:jIJkqt/gDkV6HJfzag4DiloU9UpsEwU

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1364	pRKjGE.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4176-139-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4176-141-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4176-142-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4176-145-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4792-150-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4792-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4792-147-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4792-151-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4176-154-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 4176	1364	pRKjGE.exe	82
PID 4176 set thread context of 4792	4176	svchost.exe	83
PID 4176 set thread context of 4692	4176	svchost.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1852	4692	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1364	pRKjGE.exe
1364	pRKjGE.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe
4176	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4176	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1364	2088	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	81
PID 2088 wrote to memory of 1364	2088	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	81
PID 2088 wrote to memory of 1364	2088	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	81
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 1364 wrote to memory of 4176	1364	pRKjGE.exe	82
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4792	4176	svchost.exe	83
PID 4176 wrote to memory of 4692	4176	svchost.exe	84
PID 4176 wrote to memory of 4692	4176	svchost.exe	84
PID 4176 wrote to memory of 4692	4176	svchost.exe	84
PID 4176 wrote to memory of 4692	4176	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe
"C:\Users\Admin\AppData\Local\Temp\e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe" "DycPrB"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4792
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 84
        5⤵
        Program crash
        
        PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4692 -ip 4692
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DycPrB

Filesize
5KB

MD5
91087de4aeacfe4036d445aae61b1394

SHA1
96538cf12ca5b06b4111b36fd4bf767f31cc960c

SHA256
513a456feab6f4da16014c7cfa698cae798b9879b0ceedcc60c63f4edf7c3d09

SHA512
d02c30db3f102d649da60ff94078e1ec68c721b8dfd74b5803feea98a2b8c94356a5bc5faa9877abeaab23776cd296d148b57e70d06adc5fcd05f9f8174fee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fDwLmn.txt

Filesize
297KB

MD5
cfeae746f3979dcca90b9e287f18b80d

SHA1
c0823adeb638ad345602246c3496228e4085907a

SHA256
a30c582192ce2d81c27420ee169fd9f7d56feeca8ca19ee6ad6e36d2b32854a2

SHA512
17dd7807cf5b407c30b1dcf971bde8061e1d17f0a199cf16e24ba96f991bfabe4cee2531fc58f8bbf83a4dab6224962163c8d152fea4e9c1d1027c2845b82817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skPqYk.exe

Filesize
102KB

MD5
6b921948413e532e0cde806f4e9a5449

SHA1
6085ad2ab8324da09400e75081a2ba98de0b2a4f

SHA256
d0b0b68cbff33af198b7b7199202eb6f52d5f2b75d5070a4fcd7ad20b358e351

SHA512
263a24e0ab14718f5babfd1cf21522ee0edadda1822dddfc19f93933ff861cee6f033ca086e3594690cb4c2d89c9605c3ce43b4ed5769cee19d0c6dd8e860a79

Download Submit
memory/4176-141-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4176-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4176-142-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4176-145-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4176-154-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4792-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4792-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4792-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4792-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download