Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 06:13
Behavioral task
behavioral1
Sample
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
Resource
win10v2004-20220812-en
General
-
Target
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
-
Size
114KB
-
MD5
01ee180c315d0f6fa41f20a1f3ed33f0
-
SHA1
b8fc4a4197a23703e0063ad4ad51b734687803d6
-
SHA256
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371
-
SHA512
1180e29d757d683661617388507f044b94ca07838dc4e0d6d7caff75bf6ec655743383b12b87458fbe0ac85ef5132783c480f43bccc016db88cd89e064f1caa2
-
SSDEEP
1536:P7L0gUavuPbzRUSdxRWs+LM2GjbQwTxrPwhwF9gukRuY5Q:TIg7vuzzQM1QwVPw4gukRua
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4040-132-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Processes:
resource yara_rule C:\Program Files\Monday.ime vmprotect C:\Program Files\Monday.ime vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4828 rundll32.exe 4828 rundll32.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rundll32.exe -
Drops file in System32 directory 3 IoCs
Processes:
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exedescription ioc process File created C:\Windows\SysWOW64\systemp e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File created C:\Windows\SysWOW64\sfcos.dll e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File opened for modification C:\Windows\SysWOW64\sfcos.dll e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe -
Drops file in Program Files directory 6 IoCs
Processes:
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exedescription ioc process File created C:\Program Files\Monday.ime e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File created C:\Program Files\Tuesday.ime e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File created C:\Program Files\Wednesday.ime e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File created C:\Program Files\Sunday.ime e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File created C:\Program Files\taskmgr.upx e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe File opened for modification C:\Program Files\Saturday e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 392 4828 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 4828 rundll32.exe 4828 rundll32.exe 4828 rundll32.exe 4828 rundll32.exe 4828 rundll32.exe 4828 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.execmd.exedescription pid process target process PID 4040 wrote to memory of 4388 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe sfc.exe PID 4040 wrote to memory of 4388 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe sfc.exe PID 4040 wrote to memory of 4388 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe sfc.exe PID 4040 wrote to memory of 4628 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe cmd.exe PID 4040 wrote to memory of 4628 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe cmd.exe PID 4040 wrote to memory of 4628 4040 e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe cmd.exe PID 4628 wrote to memory of 4828 4628 cmd.exe rundll32.exe PID 4628 wrote to memory of 4828 4628 cmd.exe rundll32.exe PID 4628 wrote to memory of 4828 4628 cmd.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe"C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sfc.exe"C:\Windows\system32\sfc.exe" /REVERT2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Monday.ime",Runed3⤵
- Loads dropped DLL
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 6724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 48281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Monday.imeFilesize
23KB
MD558040443232918af2ff04a8bd82cdac0
SHA130e6fc2f3ec0de36a8c67d943c6771034177617e
SHA256cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7
SHA512acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca
-
C:\Program Files\Monday.imeFilesize
23KB
MD558040443232918af2ff04a8bd82cdac0
SHA130e6fc2f3ec0de36a8c67d943c6771034177617e
SHA256cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7
SHA512acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca
-
C:\Windows\SysWOW64\sfcos.dllFilesize
48KB
MD598c499fccb739ab23b75c0d8b98e0481
SHA10ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA5129e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6
-
C:\Windows\SysWOW64\sfcos.dllFilesize
48KB
MD598c499fccb739ab23b75c0d8b98e0481
SHA10ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA5129e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6
-
C:\Windows\SysWOW64\systempFilesize
4KB
MD5390a723071ff83760f669d65bade0ad6
SHA1e9a07e9a91708634ea986ca31c6471b75402a3ae
SHA25650ed8f234a125b1e1430923e2d29afb241e965eb4edf36f41cea56032c8009b0
SHA512a44d5e2f74b0692ec10209c675de0e1c82c147d9887011a848a80d123349b61db9df00b209a0323ee27d1c7ea6ae525cef1790b792a6fb9f46188b13ae8eca33
-
\??\c:\del.batFilesize
306B
MD532b9b10b9ffa6974224679a874b68d4c
SHA194a74f48607091435597b4a858128dcdd529f1c7
SHA256d6844f99a80f339e1a2f5aaf4a76a9f7f6918232c723c7573c21482cb48eb8f9
SHA512bfe076475ca5791ee99602b36b8d15cec8c20e5c6bf1cff8901894677a187046b11d80d128ad4df2d896eaf90c8514b045971535b5e6cf8dc3dd41020b56d24c
-
memory/4040-132-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4388-133-0x0000000000000000-mapping.dmp
-
memory/4628-134-0x0000000000000000-mapping.dmp
-
memory/4828-136-0x0000000000000000-mapping.dmp