861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d

Analysis

max time kernel
203s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe
Size

3.7MB
MD5

f3b7c340b037e4dd587433f88f0a935d
SHA1

f190469979fbc12f9a68be3057cf23371669c06c
SHA256

861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d
SHA512

497fe341db208033c9d60a7991ccd61503886fcbabfa10b3bbf40e615243f1bc05de9c15735c275063eb66a40fbdd5c56ff8348fd5a4b71c54217f15716f4d60
SSDEEP

98304:Co0x08Z6EUhulnlc9R3UfHOjTv8ZEO4Tg7y35k1K7FtBh2ag:CRxjJUQlneMfHOjTvkeY+lLg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5020	rinst.exe
2780	InstantDemoSetup.exe
1376	sg.exe
4720	EXE7976.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rinst.exe

Loads dropped DLL 4 IoCs

pid	Process
1376	sg.exe
2780	InstantDemoSetup.exe
936	861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe
4720	EXE7976.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	sg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sg = "C:\\Windows\\SysWOW64\\sg.exe"	sg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	sg.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\sg.exe	rinst.exe
File created	C:\Windows\SysWOW64\sghk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	rinst.exe
5020	rinst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	sg.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
1376	sg.exe
4720	EXE7976.tmp
4720	EXE7976.tmp
1376	sg.exe
1376	sg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 5020	936	861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe	82
PID 936 wrote to memory of 5020	936	861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe	82
PID 936 wrote to memory of 5020	936	861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe	82
PID 5020 wrote to memory of 2780	5020	rinst.exe	83
PID 5020 wrote to memory of 2780	5020	rinst.exe	83
PID 5020 wrote to memory of 2780	5020	rinst.exe	83
PID 5020 wrote to memory of 1376	5020	rinst.exe	84
PID 5020 wrote to memory of 1376	5020	rinst.exe	84
PID 5020 wrote to memory of 1376	5020	rinst.exe	84
PID 2780 wrote to memory of 4720	2780	InstantDemoSetup.exe	85
PID 2780 wrote to memory of 4720	2780	InstantDemoSetup.exe	85
PID 2780 wrote to memory of 4720	2780	InstantDemoSetup.exe	85

C:\Users\Admin\AppData\Local\Temp\861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe
"C:\Users\Admin\AppData\Local\Temp\861b129ee262305212a02a67f1a040615e54466f30161be8f9b6572b5c6c858d.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstantDemoSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstantDemoSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\EXE7976.tmp
      C:\Users\Admin\AppData\Local\Temp\EXE7976.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstantDemoSetup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4720
- - C:\Windows\SysWOW64\sg.exe
    C:\Windows\system32\sg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE7976.tmp

Filesize
4.9MB

MD5
51f93d3060459b351c48fcc0a5f01eb1

SHA1
f6a70b8cbd566df0049bfcd3f2e4f6e3a7209767

SHA256
9b53b51fd3cc8cff2c3c23e3dbbe792bf791a7b4ccf2b7b0f4104d7a84387a32

SHA512
47ad46bbf5636d0d65217d8d7091fc4b4b91cc1962143f3f53dbeee552faf48817c7416e40ef5be6a71ee62a508761519fdbd056507ab8a95923c74cf19c458c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE7976.tmp

Filesize
4.9MB

MD5
51f93d3060459b351c48fcc0a5f01eb1

SHA1
f6a70b8cbd566df0049bfcd3f2e4f6e3a7209767

SHA256
9b53b51fd3cc8cff2c3c23e3dbbe792bf791a7b4ccf2b7b0f4104d7a84387a32

SHA512
47ad46bbf5636d0d65217d8d7091fc4b4b91cc1962143f3f53dbeee552faf48817c7416e40ef5be6a71ee62a508761519fdbd056507ab8a95923c74cf19c458c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstantDemoSetup.exe

Filesize
3.4MB

MD5
1508454e16dceb6aa202bee1bdf45cb5

SHA1
7be5558b9073c233e03d2b72caa80e9981a3d918

SHA256
ee22fd57fa9734cbaf6290e7bceb8cd7d54a54ffe5c79755099726221efe8557

SHA512
ff97e0923f05552caef84d4d7629597fcb48a465dd78f870fa8f90dbe7115c653544910d0df3587931f15bd389d41084516dd363e7118146e9c90fe7492057c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstantDemoSetup.exe

Filesize
3.4MB

MD5
1508454e16dceb6aa202bee1bdf45cb5

SHA1
7be5558b9073c233e03d2b72caa80e9981a3d918

SHA256
ee22fd57fa9734cbaf6290e7bceb8cd7d54a54ffe5c79755099726221efe8557

SHA512
ff97e0923f05552caef84d4d7629597fcb48a465dd78f870fa8f90dbe7115c653544910d0df3587931f15bd389d41084516dd363e7118146e9c90fe7492057c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
6bd00f7876b1ff501961a6d039e083bb

SHA1
c7d0abed6b489e735ff27f12324e0c2a60bccd65

SHA256
e1b63e9a8ad37c5586530c046df9ef934b168909302c87f02a1e7263546175ff

SHA512
0c2189a36d2f99dd49c8091f0d3668348292648c99ea3b913900931f628c61702f4ce050cbda8270a77f3a38c30354da7302d33327945bd662c9edb311010b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
946141efdfd0f27483a2ab9762bdc6b3

SHA1
b3dbcbf5fc42ac2b4631e00b8c8659a408695400

SHA256
b0f8fd6ce7f606d67f03d7e44e6540b9656d163efa30301f285e0d04fd03da62

SHA512
9893065cc5220dd8655c7e0fff5fa1b81678d8ea991d403f727f797a3685a8beb8341d022be0fab9fbe3eb615a4cff36d8e334ee413f04218e95e2676a09b69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sg.exe

Filesize
408KB

MD5
48edfb7e461533358ea3994f7348b95c

SHA1
43f44347294afdfe85a6440af22e165b14fe1cfb

SHA256
136e0c4915fd7af5d95e05ff8d30d82f31d0b7ad3a40cef08d56a9b9924c3615

SHA512
0aed5813b2800bdaecc3c6b47a580aaa3575a86733ad50ac8734d6e93fa85874da0404a8b6cc16ee30f179b1a2e31e011571aad736ab752c3fa58080db39aff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sghk.dll

Filesize
21KB

MD5
90154bf867408c8859cc3046c683e99d

SHA1
b29c7af7ebdb34c33e6c12e3e1dd87a527ca5e95

SHA256
e20750f97f545cacbdf6f849f700a4f299a0bccef632174d58389bfdfeee37b2

SHA512
1379e2213a21d96c65a0ab75ff1a504d8f4592a449af1963245b23d692249d914a30bc34c288e5911274fe7c053dcf4ea57e938190bf98a28a588823ae059c58

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
1KB

MD5
6bd00f7876b1ff501961a6d039e083bb

SHA1
c7d0abed6b489e735ff27f12324e0c2a60bccd65

SHA256
e1b63e9a8ad37c5586530c046df9ef934b168909302c87f02a1e7263546175ff

SHA512
0c2189a36d2f99dd49c8091f0d3668348292648c99ea3b913900931f628c61702f4ce050cbda8270a77f3a38c30354da7302d33327945bd662c9edb311010b33

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
a98d8bc3e63bb8d9a02fb0ee68038a74

SHA1
a5c06e97b544e0ed049ae9041676960e2b0c65e8

SHA256
d9b5dce8e3b500c629827269f2752f5e9c82f91caab3c2492fa67892fdc338a4

SHA512
32d6c558db2b6e47298ed30db0e5c0a754afecdf3dbc5e57ec1b756bfaf32d810ba4420272337a2717e0f9990207d3ece6c7e50f2b80c6b4c7eb3a11bee2f0f9

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Windows\SysWOW64\sg.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\sg.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\sghk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\sghk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\sghk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\sghk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\sghk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit