d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e

Analysis

max time kernel
122s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 23:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe
Size

915KB
MD5

57570b2942a58b3dd43234b93864f627
SHA1

df31c2e4c5c967cb0f5f423d0d3f9776083d6f74
SHA256

d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e
SHA512

8d4791b67a43180b2ad4b3868bea8b196e3ee2cbe2e9018e7282cdad726ebf4baeefb0810398cbe6ab7eea59a14919d785e6428103d6c99fa7059accdc9e2440
SSDEEP

24576:OJZZLfupjDElKQERSV40O8t6tTMgeAvgmZ7H2u:OJZZLfaQlKQ0SV4jLZrhZ7H2u

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4712	fbja.exe
3452	svchost.exe
4824	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3912-132-0x0000000000400000-0x0000000002920000-memory.dmp	upx
behavioral2/files/0x0001000000022e19-135.dat	upx
behavioral2/memory/3912-144-0x0000000000400000-0x0000000002920000-memory.dmp	upx
behavioral2/files/0x0001000000022e19-146.dat	upx
behavioral2/files/0x0001000000022e19-147.dat	upx
behavioral2/memory/3912-153-0x0000000000400000-0x0000000002920000-memory.dmp	upx
behavioral2/memory/4712-156-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4712-161-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fbja.exe

Loads dropped DLL 3 IoCs

pid	Process
4824	svchost.exe
3452	svchost.exe
3452	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File created	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\script.ini	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\script.ini	xcopy.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Progra~1\winrar\rar\fbja.exe	cmd.exe
File opened for modification	C:\Progra~1\winrar\rar\svchost.exe	cmd.exe
File opened for modification	C:\Progra~1\winrar\rar\fbja\svchost.dll	cmd.exe
File opened for modification	C:\Progra~1\winrar\rar\fbja\svchost.ini	svchost.exe
File created	C:\Program Files\Common Files\System\Ole DB\msadotb.htm	svchost.exe
File created	C:\Progra~1\temp.dat	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ime\update.dat	cmd.exe
File created	C:\Windows\ime\svchost.exe	cmd.exe
File opened for modification	C:\Windows\ime\svchost.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	svchost.exe
4824	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3452	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3452	svchost.exe
Token: SeIncBasePriorityPrivilege	3452	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3452	svchost.exe
3452	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4452	3912	d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe	81
PID 3912 wrote to memory of 4452	3912	d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe	81
PID 3912 wrote to memory of 4452	3912	d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe	81
PID 4452 wrote to memory of 2508	4452	cmd.exe	84
PID 4452 wrote to memory of 2508	4452	cmd.exe	84
PID 4452 wrote to memory of 2508	4452	cmd.exe	84
PID 4452 wrote to memory of 3192	4452	cmd.exe	85
PID 4452 wrote to memory of 3192	4452	cmd.exe	85
PID 4452 wrote to memory of 3192	4452	cmd.exe	85
PID 4452 wrote to memory of 384	4452	cmd.exe	86
PID 4452 wrote to memory of 384	4452	cmd.exe	86
PID 4452 wrote to memory of 384	4452	cmd.exe	86
PID 4452 wrote to memory of 4712	4452	cmd.exe	87
PID 4452 wrote to memory of 4712	4452	cmd.exe	87
PID 4452 wrote to memory of 4712	4452	cmd.exe	87
PID 4712 wrote to memory of 1048	4712	fbja.exe	88
PID 4712 wrote to memory of 1048	4712	fbja.exe	88
PID 4712 wrote to memory of 1048	4712	fbja.exe	88
PID 1048 wrote to memory of 3452	1048	cmd.exe	90
PID 1048 wrote to memory of 3452	1048	cmd.exe	90
PID 1048 wrote to memory of 3452	1048	cmd.exe	90
PID 1048 wrote to memory of 4824	1048	cmd.exe	91
PID 1048 wrote to memory of 4824	1048	cmd.exe	91
PID 1048 wrote to memory of 4824	1048	cmd.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe
"C:\Users\Admin\AppData\Local\Temp\d786cc6dcb8bd51cb9dac17408e7ccb5cadba535653278dfa0cc2e84b9b1b12e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E17B.tmp\sso.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /y script.ini C:\Windows\System32\GroupPolicy\user\Scripts\
    3⤵
    - Drops file in System32 directory
    - Enumerates system info in registry
    PID:3192
- - C:\Windows\SysWOW64\gpupdate.exe
    gpupdate /force
    3⤵
    PID:384
- - C:\Progra~1\winrar\rar\fbja.exe
    C:\Progra~1\winrar\rar\fbja.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19A2.tmp\ss1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Progra~1\winrar\rar\svchost.exe
        
        C:\Progra~1\winrar\rar\svchost.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3452
    - - C:\Windows\ime\svchost.exe
        
        C:\Windows\ime\svchost.exe C:\Windows\ime\update.dat,Launch
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\winrar\rar\fbja.exe

Filesize
6.2MB

MD5
889081eb0d5404e38be721003228fe9d

SHA1
e6e7ca9a520bfcf61d96d859a62d8edee00d9b81

SHA256
ac1d6c4c77a339fe45203221dcf57aafb90bf58a075ef1fe534f869976023ca0

SHA512
0495c57bc2335c4e9a3a66aa2f20a9839f71560d87ad5d3847ab3adcf1ec19372493e8fa6b5b6c63e29f37b0d72d1f0f1f9f3381fc8eff3748bc2281dbefe10e

Download Submit
C:\Program Files\winrar\rar\fbja\svchost.dll

Filesize
10.1MB

MD5
435f5ed813b7e739a854fe2281459063

SHA1
fa0de73191267a3acd377b9f862472cc6806d6ef

SHA256
94b3b69def9de26c8170dd191bcd628c1bb34330c8787b9d3d59fa73510f26bc

SHA512
34f60fc24d71e2d0914c0a6694892d4033b964e7cd449ac643ea7f2b35ca323fb0aab68042b9be6a75618f7104393f601a69aff7c6315f0eda76dd34844ad7b9

Download Submit
C:\Program Files\winrar\rar\fbja\svchost.dll

Filesize
10.1MB

MD5
435f5ed813b7e739a854fe2281459063

SHA1
fa0de73191267a3acd377b9f862472cc6806d6ef

SHA256
94b3b69def9de26c8170dd191bcd628c1bb34330c8787b9d3d59fa73510f26bc

SHA512
34f60fc24d71e2d0914c0a6694892d4033b964e7cd449ac643ea7f2b35ca323fb0aab68042b9be6a75618f7104393f601a69aff7c6315f0eda76dd34844ad7b9

Download Submit
C:\Program Files\winrar\rar\svchost.exe

Filesize
9.6MB

MD5
00b9669eadd5477c475d49eb364dc925

SHA1
c56e47ea645419165d9d4a00d1bf8ea465cba298

SHA256
b73aa406698049c5cb8be321960b3fe02b3abd2e0336cb001cab98f6b2399b3f

SHA512
b52b56865b946fef8150ce3b5f57c83297f304e8348116fb11ed814003be11716188e92ef60af391b32c16f95803f9f2558754be9d9a42db9843e1a454a8befd

Download Submit
C:\Progra~1\winrar\rar\fbja.exe

Filesize
6.2MB

MD5
889081eb0d5404e38be721003228fe9d

SHA1
e6e7ca9a520bfcf61d96d859a62d8edee00d9b81

SHA256
ac1d6c4c77a339fe45203221dcf57aafb90bf58a075ef1fe534f869976023ca0

SHA512
0495c57bc2335c4e9a3a66aa2f20a9839f71560d87ad5d3847ab3adcf1ec19372493e8fa6b5b6c63e29f37b0d72d1f0f1f9f3381fc8eff3748bc2281dbefe10e

Download Submit
C:\Progra~1\winrar\rar\fbja\svchost.dll

Filesize
10.1MB

MD5
435f5ed813b7e739a854fe2281459063

SHA1
fa0de73191267a3acd377b9f862472cc6806d6ef

SHA256
94b3b69def9de26c8170dd191bcd628c1bb34330c8787b9d3d59fa73510f26bc

SHA512
34f60fc24d71e2d0914c0a6694892d4033b964e7cd449ac643ea7f2b35ca323fb0aab68042b9be6a75618f7104393f601a69aff7c6315f0eda76dd34844ad7b9

Download Submit
C:\Progra~1\winrar\rar\svchost.exe

Filesize
9.6MB

MD5
00b9669eadd5477c475d49eb364dc925

SHA1
c56e47ea645419165d9d4a00d1bf8ea465cba298

SHA256
b73aa406698049c5cb8be321960b3fe02b3abd2e0336cb001cab98f6b2399b3f

SHA512
b52b56865b946fef8150ce3b5f57c83297f304e8348116fb11ed814003be11716188e92ef60af391b32c16f95803f9f2558754be9d9a42db9843e1a454a8befd

Download Submit
C:\Users\Admin\AppData\Local\Temp\19A2.tmp\ss1.bat

Filesize
103B

MD5
09efc00b239d2a92a065f4f94820500c

SHA1
7d66f781174a77da465d066f003e149c2e61a7d3

SHA256
ecc7bc8655292d1397246d87cafd25953ffb1a0e53dc17a8a1ca9d6ba0a76062

SHA512
efff235bc25e293d34c4b5e975310a4801edd2168af36089553319d5733e39f5d845214b347685acfa708196e24bcc825885a5ea6fc73655c28869add7ff988b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\script.ini

Filesize
205B

MD5
4195ba71f08dd804cc7b649c5b18dad3

SHA1
4247cf266c707ce1685132f75a29fa7c23eb9923

SHA256
10a6d1bb60fda3d5e99ed4ffdc8c86f54454c48175ad12cf299afab6191199c7

SHA512
69e22d21e963c0badbb13dfd09174fe27c971e22a8fd9813c0fe32e41a50e9951c152f4b72a392ed5dfe93ce4bc8361a4ed2e3b9e6042617b8f09c46b9cc551b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\ss1.exe

Filesize
6.2MB

MD5
889081eb0d5404e38be721003228fe9d

SHA1
e6e7ca9a520bfcf61d96d859a62d8edee00d9b81

SHA256
ac1d6c4c77a339fe45203221dcf57aafb90bf58a075ef1fe534f869976023ca0

SHA512
0495c57bc2335c4e9a3a66aa2f20a9839f71560d87ad5d3847ab3adcf1ec19372493e8fa6b5b6c63e29f37b0d72d1f0f1f9f3381fc8eff3748bc2281dbefe10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\ss2.exe

Filesize
9.6MB

MD5
00b9669eadd5477c475d49eb364dc925

SHA1
c56e47ea645419165d9d4a00d1bf8ea465cba298

SHA256
b73aa406698049c5cb8be321960b3fe02b3abd2e0336cb001cab98f6b2399b3f

SHA512
b52b56865b946fef8150ce3b5f57c83297f304e8348116fb11ed814003be11716188e92ef60af391b32c16f95803f9f2558754be9d9a42db9843e1a454a8befd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\ss3.dll

Filesize
10.1MB

MD5
435f5ed813b7e739a854fe2281459063

SHA1
fa0de73191267a3acd377b9f862472cc6806d6ef

SHA256
94b3b69def9de26c8170dd191bcd628c1bb34330c8787b9d3d59fa73510f26bc

SHA512
34f60fc24d71e2d0914c0a6694892d4033b964e7cd449ac643ea7f2b35ca323fb0aab68042b9be6a75618f7104393f601a69aff7c6315f0eda76dd34844ad7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\sso.bat

Filesize
1KB

MD5
1d245ea97d0db5b3b4404f2d01470bf6

SHA1
2915edb8365a05ec97ec6c54eb4db076248a926d

SHA256
9cb513ebfa42cdbbe078a4576246e56e28762c684fb74ac58344cd812811d528

SHA512
91a285b15788b84ce2ee2ce8e7ca8c3d2d166aa7d66569c72fffd57bd0c54e6be2009df8c2c25f89c1d1ee6bc8278cf55aeb5eac21318b778070735d084fa3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E17B.tmp\woti.dat

Filesize
11.1MB

MD5
64187fa7c8adad91e877b8b98459c222

SHA1
64c2c7e0c10865e359eba83f95a4614da5ed357b

SHA256
f2f150da782426472ed62a68d92d4e70229ce50cfb8b4c938b364dcaeeb3268c

SHA512
93e4933145d04206d1d18bde496a14e5f087bd842e61f77e5473b6a485537a0ea09219b31b05291b51b51f37993bf2bb622507371cd7a3b8b5cc621b15af6722

Download Submit
C:\Windows\IME\svchost.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\IME\update.dat

Filesize
11.1MB

MD5
64187fa7c8adad91e877b8b98459c222

SHA1
64c2c7e0c10865e359eba83f95a4614da5ed357b

SHA256
f2f150da782426472ed62a68d92d4e70229ce50cfb8b4c938b364dcaeeb3268c

SHA512
93e4933145d04206d1d18bde496a14e5f087bd842e61f77e5473b6a485537a0ea09219b31b05291b51b51f37993bf2bb622507371cd7a3b8b5cc621b15af6722

Download Submit
C:\Windows\SysWOW64\GroupPolicy\user\Scripts\script.ini

Filesize
205B

MD5
4195ba71f08dd804cc7b649c5b18dad3

SHA1
4247cf266c707ce1685132f75a29fa7c23eb9923

SHA256
10a6d1bb60fda3d5e99ed4ffdc8c86f54454c48175ad12cf299afab6191199c7

SHA512
69e22d21e963c0badbb13dfd09174fe27c971e22a8fd9813c0fe32e41a50e9951c152f4b72a392ed5dfe93ce4bc8361a4ed2e3b9e6042617b8f09c46b9cc551b

Download Submit
C:\Windows\ime\svchost.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\ime\update.dat

Filesize
11.1MB

MD5
64187fa7c8adad91e877b8b98459c222

SHA1
64c2c7e0c10865e359eba83f95a4614da5ed357b

SHA256
f2f150da782426472ed62a68d92d4e70229ce50cfb8b4c938b364dcaeeb3268c

SHA512
93e4933145d04206d1d18bde496a14e5f087bd842e61f77e5473b6a485537a0ea09219b31b05291b51b51f37993bf2bb622507371cd7a3b8b5cc621b15af6722

Download Submit
memory/3452-164-0x0000000002B40000-0x0000000002C60000-memory.dmp

Filesize
1.1MB

Download
memory/3912-132-0x0000000000400000-0x0000000002920000-memory.dmp

Filesize
37.1MB

Download
memory/3912-144-0x0000000000400000-0x0000000002920000-memory.dmp

Filesize
37.1MB

Download
memory/3912-153-0x0000000000400000-0x0000000002920000-memory.dmp

Filesize
37.1MB

Download
memory/4712-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4712-161-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4824-165-0x0000000073B50000-0x0000000073C69000-memory.dmp

Filesize
1.1MB

Download
memory/4824-166-0x0000000073B50000-0x0000000073C69000-memory.dmp

Filesize
1.1MB

Download