b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63

Analysis

max time kernel
138s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 04:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe
Size

247KB
MD5

3e1b481f46583e55fabf462bdb916994
SHA1

33f689aa06830774de2a1a40f1d75e52d14f108a
SHA256

b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63
SHA512

cf525c4a5f90931640bb7b0f06f9e898a34977e9bd64d12002943ce62b0a0e41a5c414eec4154bfc7d59a5f9a965e1b8e2b6db567730180366a32d8a2fac7781
SSDEEP

6144:BHeZy02lh5aa4F+Vwa8KcZhFGEIViqY9xtKKNU6I/Oeutl:Ea+lF+VwKcsiN9Ls2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4328	inlE63F.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	inlE63F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe

Loads dropped DLL 2 IoCs

pid	Process
5016	MsiExec.exe
5016	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56eb30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56eb30.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI763.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe
3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3940	msiexec.exe
Token: SeSecurityPrivilege	4052	msiexec.exe
Token: SeCreateTokenPrivilege	3940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3940	msiexec.exe
Token: SeLockMemoryPrivilege	3940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3940	msiexec.exe
Token: SeMachineAccountPrivilege	3940	msiexec.exe
Token: SeTcbPrivilege	3940	msiexec.exe
Token: SeSecurityPrivilege	3940	msiexec.exe
Token: SeTakeOwnershipPrivilege	3940	msiexec.exe
Token: SeLoadDriverPrivilege	3940	msiexec.exe
Token: SeSystemProfilePrivilege	3940	msiexec.exe
Token: SeSystemtimePrivilege	3940	msiexec.exe
Token: SeProfSingleProcessPrivilege	3940	msiexec.exe
Token: SeIncBasePriorityPrivilege	3940	msiexec.exe
Token: SeCreatePagefilePrivilege	3940	msiexec.exe
Token: SeCreatePermanentPrivilege	3940	msiexec.exe
Token: SeBackupPrivilege	3940	msiexec.exe
Token: SeRestorePrivilege	3940	msiexec.exe
Token: SeShutdownPrivilege	3940	msiexec.exe
Token: SeDebugPrivilege	3940	msiexec.exe
Token: SeAuditPrivilege	3940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3940	msiexec.exe
Token: SeChangeNotifyPrivilege	3940	msiexec.exe
Token: SeRemoteShutdownPrivilege	3940	msiexec.exe
Token: SeUndockPrivilege	3940	msiexec.exe
Token: SeSyncAgentPrivilege	3940	msiexec.exe
Token: SeEnableDelegationPrivilege	3940	msiexec.exe
Token: SeManageVolumePrivilege	3940	msiexec.exe
Token: SeImpersonatePrivilege	3940	msiexec.exe
Token: SeCreateGlobalPrivilege	3940	msiexec.exe
Token: SeIncBasePriorityPrivilege	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe
Token: SeRestorePrivilege	4052	msiexec.exe
Token: SeTakeOwnershipPrivilege	4052	msiexec.exe
Token: SeRestorePrivilege	4052	msiexec.exe
Token: SeTakeOwnershipPrivilege	4052	msiexec.exe
Token: SeRestorePrivilege	4052	msiexec.exe
Token: SeTakeOwnershipPrivilege	4052	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	inlE63F.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 3392	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	80
PID 3880 wrote to memory of 3392	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	80
PID 3880 wrote to memory of 3392	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	80
PID 3880 wrote to memory of 3940	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	82
PID 3880 wrote to memory of 3940	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	82
PID 3880 wrote to memory of 3940	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	82
PID 3880 wrote to memory of 2424	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	84
PID 3880 wrote to memory of 2424	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	84
PID 3880 wrote to memory of 2424	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	84
PID 3880 wrote to memory of 4560	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	86
PID 3880 wrote to memory of 4560	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	86
PID 3880 wrote to memory of 4560	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	86
PID 3880 wrote to memory of 4904	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	88
PID 3880 wrote to memory of 4904	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	88
PID 3880 wrote to memory of 4904	3880	b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe	88
PID 4560 wrote to memory of 2120	4560	cmd.exe	90
PID 4560 wrote to memory of 2120	4560	cmd.exe	90
PID 4560 wrote to memory of 2120	4560	cmd.exe	90
PID 2424 wrote to memory of 4328	2424	cmd.exe	91
PID 2424 wrote to memory of 4328	2424	cmd.exe	91
PID 2424 wrote to memory of 4328	2424	cmd.exe	91
PID 4052 wrote to memory of 5016	4052	msiexec.exe	93
PID 4052 wrote to memory of 5016	4052	msiexec.exe	93
PID 4052 wrote to memory of 5016	4052	msiexec.exe	93
PID 4328 wrote to memory of 3544	4328	inlE63F.tmp	96
PID 4328 wrote to memory of 3544	4328	inlE63F.tmp	96
PID 4328 wrote to memory of 3544	4328	inlE63F.tmp	96

C:\Users\Admin\AppData\Local\Temp\b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe
"C:\Users\Admin\AppData\Local\Temp\b320829f85280d1cbd6f5beee12e7f608770f9cbf444fd75cefce0de84adcb63.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  PID:3392
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insE0CF.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\inlE63F.tmp
    C:\Users\Admin\AppData\Local\Temp\inlE63F.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlE63F.tmp > nul
      4⤵
      PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B32082~1.EXE > nul
  2⤵
  PID:4904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4622C7EC251FB8A16B1B5D98A5B37AAC
  2⤵
  - Loads dropped DLL
  PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE63F.tmp

Filesize
57.2MB

MD5
81b150597082d3cf91e0732afb32cb2f

SHA1
b9b8cee073ae3549b6057bae0452b5cb16cce454

SHA256
9b6e4ca5610c74a9735ea7d311c450c131315a83702c903a700075c050d723fd

SHA512
148ace1f526794c0520813af3567f5d1baad66e8f653eed7ec0ac11936fa6225a83fdb781e9d4fdbc3e06819c7f3b6cbb213d1f2a2fc834d2c9f564074edee16

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE63F.tmp

Filesize
57.2MB

MD5
81b150597082d3cf91e0732afb32cb2f

SHA1
b9b8cee073ae3549b6057bae0452b5cb16cce454

SHA256
9b6e4ca5610c74a9735ea7d311c450c131315a83702c903a700075c050d723fd

SHA512
148ace1f526794c0520813af3567f5d1baad66e8f653eed7ec0ac11936fa6225a83fdb781e9d4fdbc3e06819c7f3b6cbb213d1f2a2fc834d2c9f564074edee16

Download Submit
C:\Users\Admin\AppData\Local\Temp\insE0CF.tmp.msi

Filesize
57.5MB

MD5
edd308894f810bed3e324f6a041cca78

SHA1
0d54998632e74888376d7bc075493b397c167b01

SHA256
18b83686c6d6f51c27bce06267746e6a0c31642e3f89ed94e81089bc355cc779

SHA512
902666f7cda3b8f9a54c543832906fd8198605acc716a9912af2e2d7741fa0a01abf6b1570b45432b88011ff91029183de77a20d979e48c2a772fc355244469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
6347159b51d3182d2aa52a215f895a64

SHA1
4389689d3f675b3f6af4f74a11edc904258d545b

SHA256
e519a4dd605cdd3189c0d50653e1aab217d68b75882ad1e44087496d3d4989c9

SHA512
93dfbd154da100d83e835c848925a7b1787e4b2f0824058258d6747d512f41bbbe89a53ff7eafe0554b94f7acfc399d803111db70844c60be1a6b1ded85348a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
26B

MD5
49cb42ed4e90c1df7d7bd69348b4cac9

SHA1
0e06e4b6201177a24c304b02fb052d6f5393f314

SHA256
0fe404e349177b204405181c00c357c1ac82cbd04ca450e2faebeead2ef54b6d

SHA512
e42e038acbbf58c17a2fd0353b14f65d360ec886aafdade4e1d71ca45f9852d01a080a9d09676008aa15296a4ac87eb1ff6e29523d057f1d4452e21776cbc319

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\Installer\MSI763.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSI763.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSIF2D1.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSIF2D1.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/3880-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3880-132-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3880-133-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download