8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240

Analysis

max time kernel
191s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe
Size

374KB
MD5

1c7e50c876f6499f3c593278b8afd3e0
SHA1

60500b74863ffeed3c533b6c86487be05daccff1
SHA256

8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240
SHA512

6b6703304ef1c940f0cb6d158cb34e0a4e661cc48d464c51ba81903c1d9a652c8e8e76ae0c16076f3671040392c61dc680836224c0821404bbd6b88c351bf9db
SSDEEP

6144:sz+92mhAMJ/cPl3ircKbEJCI94xuy4EMMG9XlIz2aG9DIY2dkKkK3DlP:sK2mhAMJ/cPllyEsI+x09VIS9IFNzlP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4684	runme.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	4684	WerFault.exe	88

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 4088	3808	8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe	84
PID 3808 wrote to memory of 4088	3808	8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe	84
PID 3808 wrote to memory of 4088	3808	8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe	84
PID 4088 wrote to memory of 3396	4088	cmd.exe	87
PID 4088 wrote to memory of 3396	4088	cmd.exe	87
PID 4088 wrote to memory of 3396	4088	cmd.exe	87
PID 4088 wrote to memory of 4684	4088	cmd.exe	88
PID 4088 wrote to memory of 4684	4088	cmd.exe	88
PID 4088 wrote to memory of 4684	4088	cmd.exe	88
PID 4088 wrote to memory of 4980	4088	cmd.exe	91
PID 4088 wrote to memory of 4980	4088	cmd.exe	91
PID 4980 wrote to memory of 4036	4980	msedge.exe	92
PID 4980 wrote to memory of 4036	4980	msedge.exe	92
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 924	4980	msedge.exe	100
PID 4980 wrote to memory of 3736	4980	msedge.exe	101
PID 4980 wrote to memory of 3736	4980	msedge.exe	101
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102
PID 4980 wrote to memory of 2772	4980	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe
"C:\Users\Admin\AppData\Local\Temp\8a3573d9cf375b51078e11bef65b5e055181967d86a70fad22d547517c4f1240.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exec.cmd" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
    3⤵
    PID:3396
- - C:\Users\Admin\AppData\Local\Temp\runme.exe
    runme.exe
    3⤵
    - Executes dropped EXE
    PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 592
      4⤵
      Program crash
      PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://get-files16.ru/file/kopatel-4it-na-crystal.php
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a74946f8,0x7ff8a7494708,0x7ff8a7494718
      4⤵
      PID:4036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18023340249506787225,1144795886862048214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18023340249506787225,1144795886862048214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,18023340249506787225,1144795886862048214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:2772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18023340249506787225,1144795886862048214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18023340249506787225,1144795886862048214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4684 -ip 4684
1⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exec.cmd

Filesize
109B

MD5
3d4305ab03b556cb897ab6f18587fdbc

SHA1
4c6559b39e63e98f67d7428d49894cd1c1bd0d53

SHA256
c93a14065af74b2f5d1908f8e82f7df4da88aa35ed4a3c366b89f21d3a9a1161

SHA512
1674eb21e32ca4d0a13a3f01a077a48ff05c1aa64c22a481c8dc64795f3cfe71faec73c4ce9576c873d03a4ac47ed6f090ebdec0e7d847641266e157e5724d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\runme.exe

Filesize
216KB

MD5
e74720a1d0e57eeecc9eeb3325a09649

SHA1
7e92859df78a10a72e8c9243b67077da2043067b

SHA256
9e15900a90c6bdf6956206a8e6fba1c5405d0f2b3347f521df38294d6fbeb296

SHA512
0de87ebe65ec85f9af009f7470418ea73e7cdfdf706fa33ec5ecaddf8725214623f74d62a23652a175f41fbb2bde3c52ae91a9b4b15fc4c947601ccad86cf592

Download Submit
C:\Users\Admin\AppData\Local\Temp\runme.exe

Filesize
216KB

MD5
e74720a1d0e57eeecc9eeb3325a09649

SHA1
7e92859df78a10a72e8c9243b67077da2043067b

SHA256
9e15900a90c6bdf6956206a8e6fba1c5405d0f2b3347f521df38294d6fbeb296

SHA512
0de87ebe65ec85f9af009f7470418ea73e7cdfdf706fa33ec5ecaddf8725214623f74d62a23652a175f41fbb2bde3c52ae91a9b4b15fc4c947601ccad86cf592

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
54B

MD5
ca6a34e500adc4d1f913237613819c8b

SHA1
7a01911a83fd26acfb9ad237d91f81f5f0e2dab8

SHA256
79ac6e65261afa7231a061ac1b8a1642720792e22ebc83a0c5257c579f3f22c6

SHA512
6c733dde0e10b135f48e2f07c31a22dad9f80717e4a35249b06cc73ac800f1bd0adf27575c6466d84aeb0e03189a87cc38ac3b0e129489fb74d0d06ce2fc8e4e

Download Submit
memory/4684-142-0x00000000021C0000-0x000000000224D000-memory.dmp

Filesize
564KB

Download
memory/4684-141-0x00000000021C0000-0x000000000224D000-memory.dmp

Filesize
564KB

Download