f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598

General

Target

f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe
Size

4.7MB
MD5

70174833a54bd0748a476c3877b1e91c
SHA1

4bbe522c0f5f8348049c93ab946c635cfd1365b0
SHA256

f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598
SHA512

540b38a51aafa263f3f538e065919c686952e762980d8d31d332962ff30fa4bdc72c4f0bfd9fd527831fbf56f751903768d55e0e89044f141ce5572334022b38
SSDEEP

98304:Ayh2A9KPK/5/o4IFIqRi97IThdHFNP6Fh8MIWEpUeB6tFDWjF8hEWJ9cNb:v2vwA4IrS72dlNP6FFpMUeBcg8hrJ9ib

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4832	start8-setup.exe
4888	sof.exe
3504	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f75-141.dat	upx
behavioral2/files/0x0006000000022f75-142.dat	upx
behavioral2/memory/3504-145-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/3504-146-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	sof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	start8-setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3504	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4168	4888	WerFault.exe	81

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
112	ipconfig.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4888	sof.exe
3504	irsetup.exe
3504	irsetup.exe
3504	irsetup.exe
3504	irsetup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4832	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	80
PID 3712 wrote to memory of 4832	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	80
PID 3712 wrote to memory of 4832	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	80
PID 3712 wrote to memory of 4888	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	81
PID 3712 wrote to memory of 4888	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	81
PID 3712 wrote to memory of 4888	3712	f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe	81
PID 4832 wrote to memory of 3504	4832	start8-setup.exe	82
PID 4832 wrote to memory of 3504	4832	start8-setup.exe	82
PID 4832 wrote to memory of 3504	4832	start8-setup.exe	82
PID 4888 wrote to memory of 112	4888	sof.exe	86
PID 4888 wrote to memory of 112	4888	sof.exe	86
PID 4888 wrote to memory of 112	4888	sof.exe	86

C:\Users\Admin\AppData\Local\Temp\f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe
"C:\Users\Admin\AppData\Local\Temp\f186f635a43305c610cad7abc0b55d7287fb3a9c5e6b9a55004c2bc2d1201598.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\start8-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\start8-setup.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:2096170 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\start8-setup.exe" "__IRCT:3" "__IRTSS:4709125" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3504
- C:\Users\Admin\AppData\Local\Temp\sof.exe
  "C:\Users\Admin\AppData\Local\Temp\sof.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1164
    3⤵
    - Program crash
    PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4888 -ip 4888
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
4b2bf55c9737e5e11f508d862d8ff74b

SHA1
a96ba213a2600720cb6076f9854cbe10a7772296

SHA256
6d8a34d1fe577a7c0f7fa7f1f066205de9c54a737c02c95603dd69ce369242e7

SHA512
90575bdb478c0e46bd7f8af53fcd2e4facef6f5c74dcefbd65e25f916b0f6a3f3d314b5810fba5a97e88d6eb5d0ecb4271d811cc2f4fcde687e1a0b915b09fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
4b2bf55c9737e5e11f508d862d8ff74b

SHA1
a96ba213a2600720cb6076f9854cbe10a7772296

SHA256
6d8a34d1fe577a7c0f7fa7f1f066205de9c54a737c02c95603dd69ce369242e7

SHA512
90575bdb478c0e46bd7f8af53fcd2e4facef6f5c74dcefbd65e25f916b0f6a3f3d314b5810fba5a97e88d6eb5d0ecb4271d811cc2f4fcde687e1a0b915b09fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
98bf508c6c2087d0c53374c3af38e7a7

SHA1
59c60529a739c337843b351c8058082afb3edc54

SHA256
9d7ce814a91b8659ab6266cfacd6316828d41538bf8fba9667f9e068d020af6d

SHA512
9d156fd2d7c06a8e88cbb78a7d249f8964f3e05c2818b80f236b6d3188cb8e42f269c34d36efbd50d6b5e50eaf97eaab360b90aeef4c64860f42a86ba0eec32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
98bf508c6c2087d0c53374c3af38e7a7

SHA1
59c60529a739c337843b351c8058082afb3edc54

SHA256
9d7ce814a91b8659ab6266cfacd6316828d41538bf8fba9667f9e068d020af6d

SHA512
9d156fd2d7c06a8e88cbb78a7d249f8964f3e05c2818b80f236b6d3188cb8e42f269c34d36efbd50d6b5e50eaf97eaab360b90aeef4c64860f42a86ba0eec32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
512KB

MD5
323bf98564cf2c451da969c3112b08d7

SHA1
6009b0820241cd0443569447138d3337dd921628

SHA256
17849a3ccfab5fe04b16c21bc366e8a1e677e3d7fa7385846da514314cdef667

SHA512
7ec4131978b901b8fd94a29e2491edca820f0754669d11398070dcc03855c4aea6ec8c1c98846c303ebb44a6ab52fc55bb8fefe53ffa35c25757b91a6ec5a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
512KB

MD5
323bf98564cf2c451da969c3112b08d7

SHA1
6009b0820241cd0443569447138d3337dd921628

SHA256
17849a3ccfab5fe04b16c21bc366e8a1e677e3d7fa7385846da514314cdef667

SHA512
7ec4131978b901b8fd94a29e2491edca820f0754669d11398070dcc03855c4aea6ec8c1c98846c303ebb44a6ab52fc55bb8fefe53ffa35c25757b91a6ec5a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\start8-setup.exe

Filesize
4.5MB

MD5
baa0be4f179139077917365dda3ce39f

SHA1
dc09de16d78cba055ab1c3dfd470b092cd7a0811

SHA256
799d1adc082eb7eceee3c4024c117f59ee5f371eaa811087c61f0d4514d0efff

SHA512
d7f33e46b4a164946b58b64e3c059d277d059299464a35a46728242853ffbfa2f367af9a4f48299b4d158ba37e717f13ca6934d89d23a4add1202a57b6c12373

Download Submit
C:\Users\Admin\AppData\Local\Temp\start8-setup.exe

Filesize
4.5MB

MD5
baa0be4f179139077917365dda3ce39f

SHA1
dc09de16d78cba055ab1c3dfd470b092cd7a0811

SHA256
799d1adc082eb7eceee3c4024c117f59ee5f371eaa811087c61f0d4514d0efff

SHA512
d7f33e46b4a164946b58b64e3c059d277d059299464a35a46728242853ffbfa2f367af9a4f48299b4d158ba37e717f13ca6934d89d23a4add1202a57b6c12373

Download Submit
memory/3504-145-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/3504-146-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads