d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
Size

1.5MB
MD5

a2d2674fe920910365ec490c2271837d
SHA1

24281340c82dcfa81f0a56c667ea93048869aeef
SHA256

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf
SHA512

e97bf4d096f1f4887d7e54c6af407ede8c3b56c0d905200a6017d2c98a360c14730050e34842fa14ecf57bdc73764f3e5d42c229ffa36d366847626b4eebc65a
SSDEEP

24576:Qutr5OUX+0HSNRdylALXlfBwUiRQs3utW65Lu31xneixByVP26L1TC71+jc6onPx:QuX1+jNClCwDus+1tfixByz541+doRXf

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

avc2011.exe

pid process

2304 avc2011.exe

pid	process
2304	avc2011.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2304-136-0x00000000022D0000-0x00000000024AC000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

Drops file in Program Files directory 8 IoCs

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

description	ioc	process
File created	C:\Program Files\Antivirus Clean 2011\__tmp_rar_sfx_access_check_240546390	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avc2011.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011\avc2011.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avservice.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011\avservice.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avsetup.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011\avsetup.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3412 2304 WerFault.exe avc2011.exe

pid	pid_target	process	target process
3412	2304	WerFault.exe	avc2011.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

description	pid	process	target process
PID 920 wrote to memory of 2304	920	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 920 wrote to memory of 2304	920	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 920 wrote to memory of 2304	920	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe

C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
"C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files\Antivirus Clean 2011\avc2011.exe
"C:\Program Files\Antivirus Clean 2011\avc2011.exe"
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 584
3⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2304 -ip 2304
1⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
C:\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
memory/2304-132-0x0000000000000000-mapping.dmp

Download
memory/2304-135-0x00000000006E0000-0x00000000008BF000-memory.dmp

Filesize
1.9MB

Download
memory/2304-136-0x00000000022D0000-0x00000000024AC000-memory.dmp

Filesize
1.9MB

Download