Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01/12/2022, 21:43
General
-
Target
4f7a8f8ba36daae5b7dba6e2be65cbdb8ffabe1d90e9e591113dbbb72da6a32d.exe
-
Size
16.0MB
-
MD5
9f28a7fe07984ae030bb70ef98e95159
-
SHA1
d28673144251de2d2a696b0981dc2838a2c00519
-
SHA256
4f7a8f8ba36daae5b7dba6e2be65cbdb8ffabe1d90e9e591113dbbb72da6a32d
-
SHA512
fd64dd4932dc29947d1e108b41914296d1adda687136eee6ad421cbaec3afe4f1918b3e81f46e4297c8a2ced142645b2601f62a155e75a3e68f660902ab63f9d
-
SSDEEP
393216:mPLSUM3wrzXiQOb7IS+cWDw5LeDzOmlPs6nYJfdaR8JVaa1R:KO3wHXir+JwNeDbK6nJiJVaar
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7a8f8ba36daae5b7dba6e2be65cbdb8ffabe1d90e9e591113dbbb72da6a32d.exe"C:\Users\Admin\AppData\Local\Temp\4f7a8f8ba36daae5b7dba6e2be65cbdb8ffabe1d90e9e591113dbbb72da6a32d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1739634 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\4f7a8f8ba36daae5b7dba6e2be65cbdb8ffabe1d90e9e591113dbbb72da6a32d.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-929662420-1054238289-2961194603-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD553817a366d16165e18b0babc60239ff5
SHA105aec27173f52d698b91bce48a10c159e032f103
SHA25607365770631759420e679342ea3cc3b720286b5bfb5289f54396b432eea40580
SHA51250e67e3bfe6f3132153fcd20667a25b15c0b8f4e1e45b0ebe38d698e8524591e405d5407947ea5e0cef21a530f39944f9a7404429bba95771ccbffd9cf0ee3a1
-
Filesize
1.3MB
MD553817a366d16165e18b0babc60239ff5
SHA105aec27173f52d698b91bce48a10c159e032f103
SHA25607365770631759420e679342ea3cc3b720286b5bfb5289f54396b432eea40580
SHA51250e67e3bfe6f3132153fcd20667a25b15c0b8f4e1e45b0ebe38d698e8524591e405d5407947ea5e0cef21a530f39944f9a7404429bba95771ccbffd9cf0ee3a1
-
Filesize
318KB
MD556e2cb184a24aedb473880462197cac4
SHA191aa64464fa96fb5de4c45718ecff507a3ab3fb3
SHA2561dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59
SHA512d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5
-
Filesize
318KB
MD556e2cb184a24aedb473880462197cac4
SHA191aa64464fa96fb5de4c45718ecff507a3ab3fb3
SHA2561dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59
SHA512d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5
-
Filesize
3.8MB
-
Filesize
3.8MB