Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:57
Static task
static1
Behavioral task
behavioral1
Sample
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
Resource
win10v2004-20220812-en
General
-
Target
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
-
Size
1.5MB
-
MD5
a2d2674fe920910365ec490c2271837d
-
SHA1
24281340c82dcfa81f0a56c667ea93048869aeef
-
SHA256
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf
-
SHA512
e97bf4d096f1f4887d7e54c6af407ede8c3b56c0d905200a6017d2c98a360c14730050e34842fa14ecf57bdc73764f3e5d42c229ffa36d366847626b4eebc65a
-
SSDEEP
24576:Qutr5OUX+0HSNRdylALXlfBwUiRQs3utW65Lu31xneixByVP26L1TC71+jc6onPx:QuX1+jNClCwDus+1tfixByz541+doRXf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
avc2011.exepid process 2304 avc2011.exe -
Processes:
resource yara_rule behavioral2/memory/2304-136-0x00000000022D0000-0x00000000024AC000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe -
Drops file in Program Files directory 8 IoCs
Processes:
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exedescription ioc process File created C:\Program Files\Antivirus Clean 2011\__tmp_rar_sfx_access_check_240546390 d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File created C:\Program Files\Antivirus Clean 2011\avc2011.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File opened for modification C:\Program Files\Antivirus Clean 2011\avc2011.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File created C:\Program Files\Antivirus Clean 2011\avservice.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File opened for modification C:\Program Files\Antivirus Clean 2011\avservice.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File created C:\Program Files\Antivirus Clean 2011\avsetup.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File opened for modification C:\Program Files\Antivirus Clean 2011\avsetup.exe d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe File opened for modification C:\Program Files\Antivirus Clean 2011 d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3412 2304 WerFault.exe avc2011.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exedescription pid process target process PID 920 wrote to memory of 2304 920 d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe avc2011.exe PID 920 wrote to memory of 2304 920 d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe avc2011.exe PID 920 wrote to memory of 2304 920 d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe avc2011.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe"C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Antivirus Clean 2011\avc2011.exe"C:\Program Files\Antivirus Clean 2011\avc2011.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 5843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2304 -ip 23041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Antivirus Clean 2011\avc2011.exeFilesize
1.0MB
MD5374f9b3e7878ba44bdb4fa6e7245203d
SHA1c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5
SHA2561d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca
SHA5128769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768
-
C:\Program Files\Antivirus Clean 2011\avc2011.exeFilesize
1.0MB
MD5374f9b3e7878ba44bdb4fa6e7245203d
SHA1c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5
SHA2561d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca
SHA5128769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768
-
memory/2304-132-0x0000000000000000-mapping.dmp
-
memory/2304-135-0x00000000006E0000-0x00000000008BF000-memory.dmpFilesize
1.9MB
-
memory/2304-136-0x00000000022D0000-0x00000000024AC000-memory.dmpFilesize
1.9MB