4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445

Analysis

max time kernel
160s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe
Size

549KB
MD5

71ff0c6c929470b6524cb1dd1b5bcd96
SHA1

a8eb31ad46434d49cd73218f7c533b1ec1987976
SHA256

4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445
SHA512

819dd65899b807dcd6bee93e55d2491d59eaa5bd98c5757d8c273d68785d5c5b6554818af537ea91cbdfe195f3e9ab170aedf6d83e63fa68c8b24c537b03f89d
SSDEEP

12288:Y3nZMhJ+ubNdP+Oe/xnfx5knxpVQT7Ced2uceTyAkRiOGjP8:Y3nZqfbzPwxn5ixpVU5o4WIbP8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1532	Deploy.exe
4784	explore32.exe
4984	taseron.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Deploy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	explore32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe

Loads dropped DLL 4 IoCs

pid	Process
4784	explore32.exe
4784	explore32.exe
4784	explore32.exe
4784	explore32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explore32 = "\"C:\\Users\\Admin\\Documents\\win32\\explore32.exe\""	explore32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4784	explore32.exe
4784	explore32.exe
4784	explore32.exe
4984	taseron.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	explore32.exe
Token: SeDebugPrivilege	4984	taseron.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 1532	4360	4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe	77
PID 4360 wrote to memory of 1532	4360	4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe	77
PID 4360 wrote to memory of 1532	4360	4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe	77
PID 1532 wrote to memory of 4784	1532	Deploy.exe	83
PID 1532 wrote to memory of 4784	1532	Deploy.exe	83
PID 1532 wrote to memory of 4784	1532	Deploy.exe	83
PID 4784 wrote to memory of 4984	4784	explore32.exe	84
PID 4784 wrote to memory of 4984	4784	explore32.exe	84
PID 4784 wrote to memory of 4984	4784	explore32.exe	84

C:\Users\Admin\AppData\Local\Temp\4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe
"C:\Users\Admin\AppData\Local\Temp\4e7e087eeaf40810a29ce802f81c17f694909f01648e4920af1ec5c21bb6f445.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Deploy.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Deploy.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\Documents\win32\explore32.exe
    "C:\Users\Admin\Documents\win32\explore32.exe" 0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Admin\Documents\win32\taseron.exe
      "C:\Users\Admin\Documents\win32\taseron.exe" 0
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Deploy.exe

Filesize
49KB

MD5
594982cd13485013adb86171a71dc1fc

SHA1
f4de4e46d78a095a62eb130fad0da5d4202d3aa3

SHA256
cbc08dc7b988d5d35ea2bf174884601563d50d01d71357246f7848e714fef7d3

SHA512
fdb2481217dd9cac276e82f35fd7d74a81f274fc230b89179a50e170773a4bebe2d7fd2512bafc048cf2bd9059d575998634abf33be44504952b73c964b39014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Deploy.exe

Filesize
49KB

MD5
594982cd13485013adb86171a71dc1fc

SHA1
f4de4e46d78a095a62eb130fad0da5d4202d3aa3

SHA256
cbc08dc7b988d5d35ea2bf174884601563d50d01d71357246f7848e714fef7d3

SHA512
fdb2481217dd9cac276e82f35fd7d74a81f274fc230b89179a50e170773a4bebe2d7fd2512bafc048cf2bd9059d575998634abf33be44504952b73c964b39014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DirectShowLib.dll

Filesize
252KB

MD5
b74b3c86fc536cf81647c56fa2e69524

SHA1
a4c7e49e5da2af1effa7cda1be447e2e3907299c

SHA256
0e458d28e0a11b0f792814af65758fd44b3ccace712d4d6d8077746191d5015f

SHA512
a157e0a51f34d76adf37d9103e943b02eed65c5a8bc6f30ad93b816ca821a7d643e64fcd361a8b43fe4943b91485d63f2f5e471abc49e737ac4949f2b8d4d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explore32.exe

Filesize
297KB

MD5
cf154f2bdd7c2b79fe09ff7b8e1eec35

SHA1
f33e8388a3f71da1da3d3677ca9ce58165df9631

SHA256
e090a1aa80706631cb9a4d010d4307de2ec7ab016fef18384ec3760e6b5ee520

SHA512
a325bd470294c577b7071aa6c08a9f9d094608c5052cf295358c0f04fe8c88731f74dc2d68dedc4b7338785044ac704fab27366293e2168e3d27a52304c2177b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsysx.dll

Filesize
7B

MD5
7b3ff33f66a175b61808b06de7f7e5eb

SHA1
8a89d4c510078a2b98c2c27b978a7455dc2c0f74

SHA256
859e10f7a47a5d6b6a07a3a4f3908dc3938d558f98e49675ec8f3ff431dfb7c2

SHA512
2b96f308809b81b40b223221a5c5445f56a60e1005f016631ffb791fc62b47ab02eed11e6e0b1327d7d9d18c42a9c35eeae2932e75d644623f5aca1adf97de09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hesap.txt

Filesize
28B

MD5
f1b484a012fa2edfb80dc63e8a73729a

SHA1
dcf13ca220171c186f82cda60ddecfea2e6e2969

SHA256
4c4e181db7800125caa5b78f4b5db47f2a064030b8223331f2818dc86f9a5365

SHA512
69f6ab9951f32e7083adb30604562b5b16ee0f49cd2cb23b61926781ab6008cd7af08d3ef08bfcfe859e74a8afd23fff7a64a2b4581f538ef882c2373c38f018

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taseron.exe

Filesize
149KB

MD5
6a0e67e178071f547c9bb9818b4a1bf0

SHA1
d91fbffbea4987739dfbd8104adb4a7de9a07afd

SHA256
ee26a6ec6b6a97f62dd8bc9aa8390df13a619adb5b67d05a5ed68fe28fb7c80a

SHA512
992a9bccacfc1581a7cd17fb56793e623e6c1656c0c6524505dae8f4b01e99c7d485cba3ab7d18cb05263de93708dc819448d981b3f44b9da761a6396f70cf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yeni.jpg

Filesize
119KB

MD5
50e9b437579d9b41ba5023ce6e74aacb

SHA1
c39853560fb25ee0ac125d42a136b51570866a70

SHA256
72338c88e795dc462ca6803f9908603af12382451f6b727372fcba52afcd491d

SHA512
3f89c01c9a5968b44093ad5fc6fd4d7488ac11c50b5a0a35c53083bb34ffec18e273c641b30be83fe555631c61722cb1e16df609f943658526e34967f320a263

Download Submit
C:\Users\Admin\Documents\win32\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\Documents\win32\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\Documents\win32\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\Documents\win32\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\Documents\win32\Interop.SpeechLib.dll

Filesize
172KB

MD5
dc9a9db283ba0bbab53b808df083a974

SHA1
f29c05ca66e5946c5f139424c0ed610d84540f7f

SHA256
83afec1fca80bd3b3bee6e06a2e8c8af2ac8b81d9fbb760e3ddf6a6d7a92a66b

SHA512
3f68fbab411455b0ccf80f3653b84aa118b807c14080ec7eac459fb5e24e31460a4e2a796c2507cc256f17209ee0d19fe56f34ddb700f70a7782528e3acde8fe

Download Submit
C:\Users\Admin\Documents\win32\explore32.exe

Filesize
297KB

MD5
cf154f2bdd7c2b79fe09ff7b8e1eec35

SHA1
f33e8388a3f71da1da3d3677ca9ce58165df9631

SHA256
e090a1aa80706631cb9a4d010d4307de2ec7ab016fef18384ec3760e6b5ee520

SHA512
a325bd470294c577b7071aa6c08a9f9d094608c5052cf295358c0f04fe8c88731f74dc2d68dedc4b7338785044ac704fab27366293e2168e3d27a52304c2177b

Download Submit
C:\Users\Admin\Documents\win32\explore32.exe

Filesize
297KB

MD5
cf154f2bdd7c2b79fe09ff7b8e1eec35

SHA1
f33e8388a3f71da1da3d3677ca9ce58165df9631

SHA256
e090a1aa80706631cb9a4d010d4307de2ec7ab016fef18384ec3760e6b5ee520

SHA512
a325bd470294c577b7071aa6c08a9f9d094608c5052cf295358c0f04fe8c88731f74dc2d68dedc4b7338785044ac704fab27366293e2168e3d27a52304c2177b

Download Submit
C:\Users\Admin\Documents\win32\fsysx.dll

Filesize
7B

MD5
7b3ff33f66a175b61808b06de7f7e5eb

SHA1
8a89d4c510078a2b98c2c27b978a7455dc2c0f74

SHA256
859e10f7a47a5d6b6a07a3a4f3908dc3938d558f98e49675ec8f3ff431dfb7c2

SHA512
2b96f308809b81b40b223221a5c5445f56a60e1005f016631ffb791fc62b47ab02eed11e6e0b1327d7d9d18c42a9c35eeae2932e75d644623f5aca1adf97de09

Download Submit
C:\Users\Admin\Documents\win32\hesap.txt

Filesize
28B

MD5
f1b484a012fa2edfb80dc63e8a73729a

SHA1
dcf13ca220171c186f82cda60ddecfea2e6e2969

SHA256
4c4e181db7800125caa5b78f4b5db47f2a064030b8223331f2818dc86f9a5365

SHA512
69f6ab9951f32e7083adb30604562b5b16ee0f49cd2cb23b61926781ab6008cd7af08d3ef08bfcfe859e74a8afd23fff7a64a2b4581f538ef882c2373c38f018

Download Submit
C:\Users\Admin\Documents\win32\taseron.exe

Filesize
149KB

MD5
6a0e67e178071f547c9bb9818b4a1bf0

SHA1
d91fbffbea4987739dfbd8104adb4a7de9a07afd

SHA256
ee26a6ec6b6a97f62dd8bc9aa8390df13a619adb5b67d05a5ed68fe28fb7c80a

SHA512
992a9bccacfc1581a7cd17fb56793e623e6c1656c0c6524505dae8f4b01e99c7d485cba3ab7d18cb05263de93708dc819448d981b3f44b9da761a6396f70cf5f

Download Submit
C:\Users\Admin\Documents\win32\taseron.exe

Filesize
149KB

MD5
6a0e67e178071f547c9bb9818b4a1bf0

SHA1
d91fbffbea4987739dfbd8104adb4a7de9a07afd

SHA256
ee26a6ec6b6a97f62dd8bc9aa8390df13a619adb5b67d05a5ed68fe28fb7c80a

SHA512
992a9bccacfc1581a7cd17fb56793e623e6c1656c0c6524505dae8f4b01e99c7d485cba3ab7d18cb05263de93708dc819448d981b3f44b9da761a6396f70cf5f

Download Submit
memory/1532-136-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/1532-154-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/1532-135-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/4784-153-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/4784-152-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-160-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-161-0x0000000072D00000-0x00000000732B1000-memory.dmp

Filesize
5.7MB

Download