a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90

Analysis

max time kernel
90s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe
Size

439KB
MD5

ca04af4195cc5ac0be022c1ec62deb36
SHA1

4050042b5b3aaeb9715e62b917162d895577ec85
SHA256

a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90
SHA512

ae49435465b0d7db1058d854cc8f4d1d415ed52908c5943880bca9e388b11b368ad47446eeb6c295b14dc5c79f12fb84598d5e1e63bf04f1d9c3207c94f2108d
SSDEEP

6144:5ZunObR8sVImcyYC5J7Y5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPt:WK+mzwNE/Ds3fM20lHmYWwH3zuxPnt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2128	loadwg.exe
5036	jrwg.exe
2576	GTH67399.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022df2-133.dat	upx
behavioral2/files/0x0003000000022df2-134.dat	upx
behavioral2/files/0x0002000000022df3-137.dat	upx
behavioral2/files/0x0002000000022df3-136.dat	upx
behavioral2/memory/2128-145-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/5036-141-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe

Loads dropped DLL 2 IoCs

pid	Process
5036	jrwg.exe
2576	GTH67399.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2128-145-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uhfdd.dll	jrwg.exe
File opened for modification	C:\Windows\SysWOW64\uhfdd.dll	jrwg.exe
File created	C:\Windows\SysWOW64\comres.dll	jrwg.exe
File created	C:\Windows\SysWOW64\GTH67399.exe	jrwg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fOnTs\comres1.ttf	jrwg.exe
File created	C:\Windows\fOnTs\GTH67399.ttf	jrwg.exe
File created	C:\Windows\fOnTs\GTH67399.fon	jrwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5036	jrwg.exe
5036	jrwg.exe
2576	GTH67399.exe
2576	GTH67399.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2128	loadwg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	GTH67399.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2128	2200	a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe	81
PID 2200 wrote to memory of 2128	2200	a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe	81
PID 2200 wrote to memory of 2128	2200	a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe	81
PID 2128 wrote to memory of 5036	2128	loadwg.exe	82
PID 2128 wrote to memory of 5036	2128	loadwg.exe	82
PID 2128 wrote to memory of 5036	2128	loadwg.exe	82
PID 5036 wrote to memory of 2576	5036	jrwg.exe	83
PID 5036 wrote to memory of 2576	5036	jrwg.exe	83
PID 5036 wrote to memory of 2576	5036	jrwg.exe	83

C:\Users\Admin\AppData\Local\Temp\a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe
"C:\Users\Admin\AppData\Local\Temp\a5bfeac3c17057fad8f565e7c0f1d4b46bf00e85c3f7282f57b243b800dd9f90.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrwg.exe
    jrwg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\GTH67399.exe
      C:\Windows\system32\GTH67399.exe C:\Windows\fOnTs\comres1.ttf dns C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrwg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrwg.exe

Filesize
14KB

MD5
bb6aa709f345898ab216465e7d66a8c2

SHA1
86e549ed15873b9ddec5e5fb63016c7dbabf2382

SHA256
b9886033631894f550405f4f3620d24810821d2b77001595a125130851a67c79

SHA512
afc1bb687c3f5caa44d4a7b9aaac93f827340bd052e232bff7543935430f28a1d597f8cc575ceeebe0390b11f760a60eedc911833e0a61f50ceb59df390488a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrwg.exe

Filesize
14KB

MD5
bb6aa709f345898ab216465e7d66a8c2

SHA1
86e549ed15873b9ddec5e5fb63016c7dbabf2382

SHA256
b9886033631894f550405f4f3620d24810821d2b77001595a125130851a67c79

SHA512
afc1bb687c3f5caa44d4a7b9aaac93f827340bd052e232bff7543935430f28a1d597f8cc575ceeebe0390b11f760a60eedc911833e0a61f50ceb59df390488a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
C:\Windows\Fonts\comres1.ttf

Filesize
162KB

MD5
68a2fd2a8e318cfdaa5aa84eb1a1c9dd

SHA1
8c97dd28abec8803819cb7f7f07891f63566c908

SHA256
65a9dfeaf389eaf89c7c2d5ef2e8db4dbcc229a440294f25452849961bd4e65b

SHA512
70be165305727e9aa4ed1448cfffa81a084a411ac445776ec450408d4b8722d6821999bc262912ab2e0ba302701c9d2ce363f2a8bb8ffbd6354abd883f31215a

Download Submit
C:\Windows\SysWOW64\GTH67399.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\GTH67399.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\uhfdd.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\fOnTs\comres1.ttf

Filesize
162KB

MD5
68a2fd2a8e318cfdaa5aa84eb1a1c9dd

SHA1
8c97dd28abec8803819cb7f7f07891f63566c908

SHA256
65a9dfeaf389eaf89c7c2d5ef2e8db4dbcc229a440294f25452849961bd4e65b

SHA512
70be165305727e9aa4ed1448cfffa81a084a411ac445776ec450408d4b8722d6821999bc262912ab2e0ba302701c9d2ce363f2a8bb8ffbd6354abd883f31215a

Download Submit
memory/2128-145-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5036-141-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download