830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

Analysis

max time kernel
153s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
Size

312KB
MD5

8a07e324c39401883d4f3e928ed38b3d
SHA1

4cb51deef671271cc5a69d4530800705d7dcda43
SHA256

830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA512

3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
SSDEEP

3072:1RYfhn6IxI4BXzk6K6Tr5DOZeCzZPj8o3:rE5dXzkmMesL3

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
664	winlogon.exe
5084	winlogon.exe
2708	winlogon.exe
4072	winlogon.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3836-132-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/3836-136-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/2132-135-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2132-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2132-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2132-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e39-145.dat	upx
behavioral2/files/0x0006000000022e39-144.dat	upx
behavioral2/memory/2132-146-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/664-151-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/files/0x0006000000022e39-150.dat	upx
behavioral2/memory/5084-157-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e39-160.dat	upx
behavioral2/files/0x0006000000022e39-163.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 664 set thread context of 5084	664	winlogon.exe	84
PID 5084 set thread context of 2708	5084	winlogon.exe	87
PID 5084 set thread context of 4072	5084	winlogon.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4108	2708	WerFault.exe	87
628	4072	WerFault.exe	97

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
5084	winlogon.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2252	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	79
PID 3836 wrote to memory of 2252	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	79
PID 3836 wrote to memory of 2252	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	79
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 3836 wrote to memory of 2132	3836	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	80
PID 2132 wrote to memory of 664	2132	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	82
PID 2132 wrote to memory of 664	2132	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	82
PID 2132 wrote to memory of 664	2132	830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe	82
PID 664 wrote to memory of 3328	664	winlogon.exe	83
PID 664 wrote to memory of 3328	664	winlogon.exe	83
PID 664 wrote to memory of 3328	664	winlogon.exe	83
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 664 wrote to memory of 5084	664	winlogon.exe	84
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 2708	5084	winlogon.exe	87
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97
PID 5084 wrote to memory of 4072	5084	winlogon.exe	97

C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
"C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:3328
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 12
        6⤵
        Program crash
        
        PID:4108
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 12
        6⤵
        Program crash
        
        PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2708 -ip 2708
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4072 -ip 4072
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
312KB

MD5
8a07e324c39401883d4f3e928ed38b3d

SHA1
4cb51deef671271cc5a69d4530800705d7dcda43

SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
312KB

MD5
8a07e324c39401883d4f3e928ed38b3d

SHA1
4cb51deef671271cc5a69d4530800705d7dcda43

SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
312KB

MD5
8a07e324c39401883d4f3e928ed38b3d

SHA1
4cb51deef671271cc5a69d4530800705d7dcda43

SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
312KB

MD5
8a07e324c39401883d4f3e928ed38b3d

SHA1
4cb51deef671271cc5a69d4530800705d7dcda43

SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
312KB

MD5
8a07e324c39401883d4f3e928ed38b3d

SHA1
4cb51deef671271cc5a69d4530800705d7dcda43

SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf

SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6

Download Submit
memory/664-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2132-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2132-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2132-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2132-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3836-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3836-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5084-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download