6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3

Analysis

max time kernel
123s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
Size

525KB
MD5

1eb2572c36afe1832732413fcec49bbe
SHA1

cd9b8f19cc582920b6163bb2a58ed13a37e73b56
SHA256

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3
SHA512

72e4aa9a33982677662126f466093e190d4c6fd93793f406427669f245a532a8ae756ddc0a9f9931481a820dd206439fb3d6da8193d483eb5412b6c96de66de5
SSDEEP

6144:C9J623cdUmR7W6XKDla2nf9PzuDorEDGgrpO2gd2k4xsMiGAv5NIseImC:CJZMPQlakoBrEmBxed5NIse

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ere.exe

pid process

5044 ere.exe

pid	process
5044	ere.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

dw20.exe

description	pid	process
Token: SeRestorePrivilege	3972	dw20.exe
Token: SeBackupPrivilege	3972	dw20.exe
Token: SeBackupPrivilege	3972	dw20.exe
Token: SeBackupPrivilege	3972	dw20.exe
Token: SeBackupPrivilege	3972	dw20.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exeere.exe

description	pid	process	target process
PID 4612 wrote to memory of 5044	4612	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 4612 wrote to memory of 5044	4612	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 4612 wrote to memory of 5044	4612	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 5044 wrote to memory of 3972	5044	ere.exe	dw20.exe
PID 5044 wrote to memory of 3972	5044	ere.exe	dw20.exe
PID 5044 wrote to memory of 3972	5044	ere.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
"C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\ere.exe
"C:\Users\Admin\AppData\Local\Temp\ere.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
memory/3972-136-0x0000000000000000-mapping.dmp

Download
memory/5044-132-0x0000000000000000-mapping.dmp

Download
memory/5044-135-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/5044-137-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/5044-138-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download