9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d

Analysis

max time kernel
84s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
Size

316KB
MD5

b7e7dfda3555be47d5e135419d44438f
SHA1

b7dd034c716b825985b6745e82cf4b92fceeb4e0
SHA256

9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d
SHA512

0fbd65b6d85b3bd1e19135bcff363963866444d41532a42ce783c7bf5a28df73a10f3972868dc81531c8458510efb699b98fb47f708f162a62f241ba509ac897
SSDEEP

6144:5sehzRFJPC6ocu1YgWWko8efjmkO4vDx0OFMvP5nJPit0i2Mza:5rQ65q9b8ery0N0O0hhitz3a

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
980	WR-1-2~1.EXE
1828	DOMPLA~1.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000139f7-55.dat	upx
behavioral1/files/0x000a0000000139f7-56.dat	upx
behavioral1/files/0x000a0000000139f7-58.dat	upx
behavioral1/files/0x000a0000000139f7-61.dat	upx
behavioral1/files/0x000a0000000139f7-60.dat	upx
behavioral1/files/0x000a0000000139f7-62.dat	upx
behavioral1/files/0x000a0000000139f7-63.dat	upx
behavioral1/memory/1488-64-0x0000000000180000-0x000000000019A000-memory.dmp	upx
behavioral1/memory/980-66-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/980-71-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WR-1-2~1.EXE

Loads dropped DLL 11 IoCs

pid	Process
1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
980	WR-1-2~1.EXE
980	WR-1-2~1.EXE
980	WR-1-2~1.EXE
1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000014142-72.dat	nsis_installer_1
behavioral1/files/0x0006000000014142-72.dat	nsis_installer_2
behavioral1/files/0x0006000000014142-74.dat	nsis_installer_1
behavioral1/files/0x0006000000014142-74.dat	nsis_installer_2
behavioral1/files/0x0006000000014142-77.dat	nsis_installer_1
behavioral1/files/0x0006000000014142-77.dat	nsis_installer_2
behavioral1/files/0x0006000000014142-78.dat	nsis_installer_1
behavioral1/files/0x0006000000014142-78.dat	nsis_installer_2
behavioral1/files/0x0006000000014142-76.dat	nsis_installer_1
behavioral1/files/0x0006000000014142-76.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WR-1-2~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	WR-1-2~1.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	WR-1-2~1.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE
1828	DOMPLA~1.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 1488 wrote to memory of 980	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	27
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 980 wrote to memory of 1196	980	WR-1-2~1.EXE	30
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32
PID 1488 wrote to memory of 1828	1488	9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe	32

C:\Users\Admin\AppData\Local\Temp\9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe
"C:\Users\Admin\AppData\Local\Temp\9e882c660231e15bcc38e60f36944127133d829ff359f96d89fb79c64b74220d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bat49EF.tmp.bat" "
    3⤵
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE

Filesize
249KB

MD5
53a6425958690cf579f1097b79e9fb50

SHA1
8b40a04ed55e279795ba866cfda194619988ae9c

SHA256
6b154846907afd1022bf2fa47beccfe40038c7a9eb62ff84ea214fb542a9327d

SHA512
6a506615dead124fd128a757dc6addc258a586af0ec2dc2c8b38ffe69a746cb9219fb210510fe74258dcb0f6707605f85b058103945f2d2bcd7733d233ab14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE

Filesize
249KB

MD5
53a6425958690cf579f1097b79e9fb50

SHA1
8b40a04ed55e279795ba866cfda194619988ae9c

SHA256
6b154846907afd1022bf2fa47beccfe40038c7a9eb62ff84ea214fb542a9327d

SHA512
6a506615dead124fd128a757dc6addc258a586af0ec2dc2c8b38ffe69a746cb9219fb210510fe74258dcb0f6707605f85b058103945f2d2bcd7733d233ab14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat49EF.tmp.bat

Filesize
208B

MD5
f3488ba5fbd29aca2dbda7e00b7e81f0

SHA1
98d47476d33433ce0f6fd942b90f88c621b14586

SHA256
5e6ee5a5d6fc042329206ecf8e8817c1e4dadcd044e18ade2d133f8852a5f706

SHA512
cf031f51dbfdc47e539a773ca391c68d052283b6c450e38af38326ca79011d1f757c9635876c72ca2ef4e5a248e6fd0db94cd854acd14aef2700fd7637a3aeab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE

Filesize
249KB

MD5
53a6425958690cf579f1097b79e9fb50

SHA1
8b40a04ed55e279795ba866cfda194619988ae9c

SHA256
6b154846907afd1022bf2fa47beccfe40038c7a9eb62ff84ea214fb542a9327d

SHA512
6a506615dead124fd128a757dc6addc258a586af0ec2dc2c8b38ffe69a746cb9219fb210510fe74258dcb0f6707605f85b058103945f2d2bcd7733d233ab14b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE

Filesize
249KB

MD5
53a6425958690cf579f1097b79e9fb50

SHA1
8b40a04ed55e279795ba866cfda194619988ae9c

SHA256
6b154846907afd1022bf2fa47beccfe40038c7a9eb62ff84ea214fb542a9327d

SHA512
6a506615dead124fd128a757dc6addc258a586af0ec2dc2c8b38ffe69a746cb9219fb210510fe74258dcb0f6707605f85b058103945f2d2bcd7733d233ab14b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DOMPLA~1.EXE

Filesize
249KB

MD5
53a6425958690cf579f1097b79e9fb50

SHA1
8b40a04ed55e279795ba866cfda194619988ae9c

SHA256
6b154846907afd1022bf2fa47beccfe40038c7a9eb62ff84ea214fb542a9327d

SHA512
6a506615dead124fd128a757dc6addc258a586af0ec2dc2c8b38ffe69a746cb9219fb210510fe74258dcb0f6707605f85b058103945f2d2bcd7733d233ab14b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WR-1-2~1.EXE

Filesize
36KB

MD5
dab88d7963e15f39c7a0924769127050

SHA1
57a1d50a97e6099237cd83e3bdb3f3b433118c92

SHA256
f696b4900cf9d2d9d8bde9f86280e868461eb4cddd93bb28049c991f10b8f147

SHA512
56a4b561d2aa16d2b9d92e4d5f2197dbc8966acfbbe809a2ffcbd20f40bf37157054213695f9a6cc23dcc63a3f864a70afa01a999f1e237216153ef38a7fe003

Download Submit
\Users\Admin\AppData\Local\Temp\nso4B84.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nso4B84.tmp\nsProcess.dll

Filesize
4KB

MD5
14f98427ef8b8a08816bd82d4ef8d8fc

SHA1
f792d3fdb4beb85332f71f9efacc8d923d2f021b

SHA256
5c115f600421043aea4896b278f4292e15fc03e2bae320525b8af75dec6215c0

SHA512
c67e364c95ee28b8ee8924343b7a1b99350019e988e80dfd4469284b6db472d6cf3b4a2f1e1cc40c10276fc97dbe4e326aca72f783b9cb76159ccf5453aa5445

Download Submit
\Users\Admin\AppData\Local\Temp\nso4B84.tmp\nsProcess.dll

Filesize
4KB

MD5
14f98427ef8b8a08816bd82d4ef8d8fc

SHA1
f792d3fdb4beb85332f71f9efacc8d923d2f021b

SHA256
5c115f600421043aea4896b278f4292e15fc03e2bae320525b8af75dec6215c0

SHA512
c67e364c95ee28b8ee8924343b7a1b99350019e988e80dfd4469284b6db472d6cf3b4a2f1e1cc40c10276fc97dbe4e326aca72f783b9cb76159ccf5453aa5445

Download Submit
memory/980-67-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/980-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/980-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1488-69-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/1488-68-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/1488-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1488-65-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/1488-64-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download