53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

Analysis

max time kernel
357s
max time network
409s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
Size

7.5MB
MD5

479d45353be85fd73e7184b3248bdae9
SHA1

ef56904eb622481612b00d3988483ce8b41f9308
SHA256

53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c
SHA512

85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776
SSDEEP

12288:bdPUPFdPZdPhPFdPZdPmPFdPZdP/PFdPZdPvOP7dP0PFdPZdPRPFdPZdPaPFdPZg:Jm5ZEbNWDyTFtj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4596	notpad.exe
2320	tmp240867687.exe
3216	tmp240867781.exe
640	notpad.exe
4736	tmp240870187.exe
1776	tmp240871171.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e1d-133.dat	upx
behavioral2/files/0x0008000000022e1d-134.dat	upx
behavioral2/memory/4596-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022e12-139.dat	upx
behavioral2/files/0x0006000000022e24-144.dat	upx
behavioral2/files/0x0006000000022e24-145.dat	upx
behavioral2/memory/640-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022e1d-154.dat	upx
behavioral2/memory/640-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022e1d-153.dat	upx
behavioral2/files/0x0008000000022e12-151.dat	upx
behavioral2/memory/1776-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp240867687.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240867687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240867687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240870187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240870187.exe
File created	C:\Windows\SysWOW64\fsb.tmp	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
File created	C:\Windows\SysWOW64\notpad.exe	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
File created	C:\Windows\SysWOW64\notpad.exe-	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240867687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240870187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240867687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240870187.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4596	1608	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe	81
PID 1608 wrote to memory of 4596	1608	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe	81
PID 1608 wrote to memory of 4596	1608	53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe	81
PID 4596 wrote to memory of 2320	4596	notpad.exe	82
PID 4596 wrote to memory of 2320	4596	notpad.exe	82
PID 4596 wrote to memory of 2320	4596	notpad.exe	82
PID 4596 wrote to memory of 3216	4596	notpad.exe	83
PID 4596 wrote to memory of 3216	4596	notpad.exe	83
PID 4596 wrote to memory of 3216	4596	notpad.exe	83
PID 2320 wrote to memory of 640	2320	tmp240867687.exe	84
PID 2320 wrote to memory of 640	2320	tmp240867687.exe	84
PID 2320 wrote to memory of 640	2320	tmp240867687.exe	84
PID 640 wrote to memory of 4736	640	notpad.exe	85
PID 640 wrote to memory of 4736	640	notpad.exe	85
PID 640 wrote to memory of 4736	640	notpad.exe	85
PID 640 wrote to memory of 1776	640	notpad.exe	86
PID 640 wrote to memory of 1776	640	notpad.exe	86
PID 640 wrote to memory of 1776	640	notpad.exe	86

C:\Users\Admin\AppData\Local\Temp\53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe
"C:\Users\Admin\AppData\Local\Temp\53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\tmp240867687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240867687.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\tmp240870187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240870187.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\tmp240871171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240871171.exe
        5⤵
        Executes dropped EXE
        
        PID:1776
- - C:\Users\Admin\AppData\Local\Temp\tmp240867781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240867781.exe
    3⤵
    - Executes dropped EXE
    PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240867687.exe

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240867687.exe

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240867781.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240870187.exe

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240870187.exe

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240871171.exe

Filesize
7.7MB

MD5
9c3a1e6b7bd177736d4aa4a388cccf37

SHA1
fdb8cb58b26cf7ca381f69252cc4a2abc3a128f2

SHA256
dd33ec991389ce38b6e8953435ab9415c89c5600add32d505c8e58bf68c296e2

SHA512
b6590217a21e8011c7c82c9b7da5bea71f218255bece96e3673c30bf372a37a83516db236e57161892580b84b69bfd2e98a1d9460e805a545642b3344aec8ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240871171.exe

Filesize
7.7MB

MD5
9c3a1e6b7bd177736d4aa4a388cccf37

SHA1
fdb8cb58b26cf7ca381f69252cc4a2abc3a128f2

SHA256
dd33ec991389ce38b6e8953435ab9415c89c5600add32d505c8e58bf68c296e2

SHA512
b6590217a21e8011c7c82c9b7da5bea71f218255bece96e3673c30bf372a37a83516db236e57161892580b84b69bfd2e98a1d9460e805a545642b3344aec8ff1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
7.5MB

MD5
479d45353be85fd73e7184b3248bdae9

SHA1
ef56904eb622481612b00d3988483ce8b41f9308

SHA256
53f2afd2af894c2dd547fcbeaea38e86ff5bf047201b4fb32e1219a93904740c

SHA512
85d317246ccf517eac3d5a2281e3755aeeac470f9336431e8d2ee90eaa7c28b6a3ad6d6f924c71e4a24b19570abd4eed61745b0a6430212f1977d54b0d3b1776

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
15.2MB

MD5
0e12d68776d10eaf0fa8800a468c7f27

SHA1
067db22d60f58e9b51dfeaa398dd50ad012198d5

SHA256
c52f637c11da223c9ac6ac4b2617006110348eaf147b91f69d7c902eb076310e

SHA512
3bb974138188ef029355815ce0d478d0e277404159f2d45c2e4bdbfe54cbf8303d266031c7aa085a0b6db5f8590b3c44f4e97a9a30e9134f8d09b9bfd66c06b9

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
15.2MB

MD5
0e12d68776d10eaf0fa8800a468c7f27

SHA1
067db22d60f58e9b51dfeaa398dd50ad012198d5

SHA256
c52f637c11da223c9ac6ac4b2617006110348eaf147b91f69d7c902eb076310e

SHA512
3bb974138188ef029355815ce0d478d0e277404159f2d45c2e4bdbfe54cbf8303d266031c7aa085a0b6db5f8590b3c44f4e97a9a30e9134f8d09b9bfd66c06b9

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
7.7MB

MD5
9c3a1e6b7bd177736d4aa4a388cccf37

SHA1
fdb8cb58b26cf7ca381f69252cc4a2abc3a128f2

SHA256
dd33ec991389ce38b6e8953435ab9415c89c5600add32d505c8e58bf68c296e2

SHA512
b6590217a21e8011c7c82c9b7da5bea71f218255bece96e3673c30bf372a37a83516db236e57161892580b84b69bfd2e98a1d9460e805a545642b3344aec8ff1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
7.7MB

MD5
9c3a1e6b7bd177736d4aa4a388cccf37

SHA1
fdb8cb58b26cf7ca381f69252cc4a2abc3a128f2

SHA256
dd33ec991389ce38b6e8953435ab9415c89c5600add32d505c8e58bf68c296e2

SHA512
b6590217a21e8011c7c82c9b7da5bea71f218255bece96e3673c30bf372a37a83516db236e57161892580b84b69bfd2e98a1d9460e805a545642b3344aec8ff1

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/640-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4596-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download