de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc

General

Target

de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe
Size

535KB
MD5

180f21c876bcf411fc6be43f1871072d
SHA1

25767211bcf64f387ecdc74f512ff2a99a6f0cc8
SHA256

de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc
SHA512

8d449a14076268905a87f3a9b1edc99e55af550bc6e8874532fb6e9b6804d1de3c27f218d6e1eb006b9ff66c5172f46794567b3f266cd2dd75ff046a0c046785
SSDEEP

12288:8Blq9I8/ZdkB7qeGvRHHVlXqgGzP+4WvX5nxzpsBc8gdlLGc/:83qi8ANGZH6RT+L9xaBc8gac/

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4224	Revo.Uninstaller.Pro.2.x.x.Generic.Patch-JW.exe
2160	sof.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022de4-133.dat	upx
behavioral2/files/0x0003000000022de4-134.dat	upx
behavioral2/memory/4224-140-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4224-141-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	2160	WerFault.exe	82

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
528	ipconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2160	sof.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4224	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	81
PID 4828 wrote to memory of 4224	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	81
PID 4828 wrote to memory of 4224	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	81
PID 4828 wrote to memory of 2160	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	82
PID 4828 wrote to memory of 2160	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	82
PID 4828 wrote to memory of 2160	4828	de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe	82
PID 2160 wrote to memory of 528	2160	sof.exe	89
PID 2160 wrote to memory of 528	2160	sof.exe	89
PID 2160 wrote to memory of 528	2160	sof.exe	89

C:\Users\Admin\AppData\Local\Temp\de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe
"C:\Users\Admin\AppData\Local\Temp\de464519d92957e77998135284148e32b4097f51e980084d587ec8fdcacf6ccc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.2.x.x.Generic.Patch-JW.exe
  "C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.2.x.x.Generic.Patch-JW.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\sof.exe
  "C:\Users\Admin\AppData\Local\Temp\sof.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 688
    3⤵
    - Program crash
    PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2160 -ip 2160
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.2.x.x.Generic.Patch-JW.exe

Filesize
59KB

MD5
2a0063bb4d8669ddc603064c36bb290b

SHA1
49aefdf9e9f9d7c2f2af35c7f46dac6dc349618f

SHA256
5e84b6a41d3df263a83f67989f1401bd02cf9e13582d124cd44260e7ef9cac08

SHA512
9e1bce5c1c85aa4850ff7cc956147eb1bf231d8142f39152fe1b94f98be97b4f8c4853e9f5523e8b6d1c0aef60e86b02121623ba0b88583905eb69f7b14a8393

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revo.Uninstaller.Pro.2.x.x.Generic.Patch-JW.exe

Filesize
59KB

MD5
2a0063bb4d8669ddc603064c36bb290b

SHA1
49aefdf9e9f9d7c2f2af35c7f46dac6dc349618f

SHA256
5e84b6a41d3df263a83f67989f1401bd02cf9e13582d124cd44260e7ef9cac08

SHA512
9e1bce5c1c85aa4850ff7cc956147eb1bf231d8142f39152fe1b94f98be97b4f8c4853e9f5523e8b6d1c0aef60e86b02121623ba0b88583905eb69f7b14a8393

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
512KB

MD5
323bf98564cf2c451da969c3112b08d7

SHA1
6009b0820241cd0443569447138d3337dd921628

SHA256
17849a3ccfab5fe04b16c21bc366e8a1e677e3d7fa7385846da514314cdef667

SHA512
7ec4131978b901b8fd94a29e2491edca820f0754669d11398070dcc03855c4aea6ec8c1c98846c303ebb44a6ab52fc55bb8fefe53ffa35c25757b91a6ec5a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
512KB

MD5
323bf98564cf2c451da969c3112b08d7

SHA1
6009b0820241cd0443569447138d3337dd921628

SHA256
17849a3ccfab5fe04b16c21bc366e8a1e677e3d7fa7385846da514314cdef667

SHA512
7ec4131978b901b8fd94a29e2491edca820f0754669d11398070dcc03855c4aea6ec8c1c98846c303ebb44a6ab52fc55bb8fefe53ffa35c25757b91a6ec5a4a4

Download Submit
memory/4224-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads