0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54

Analysis

max time kernel
184s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
Size

490KB
MD5

6730e7c6e485f78d49ea6d09f4e54284
SHA1

170648fd01ef4b8ba87bdeab049cde93b66232f2
SHA256

0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54
SHA512

a477d3e15642b7bb72ca76f21fd771a9bb2f1df4d6276ea3aaa6e444669625145f2f2ccd2a5f67209f4ab919c7c76bfc12fef9f9b72903002de7c7fea1fa552a
SSDEEP

12288:NHXbLcPhdKPG0pdR3RKly3aqvVHjYQVnY+SOWcs0zZ:NHrWGGlMT9HMQy+SOWcs0z

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\npf.sys	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
3040	real.exe
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
3232	svch0st.exe
4640	tem.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	real.exe

Loads dropped DLL 3 IoCs

pid	Process
4640	tem.exe
3232	svch0st.exe
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vook.sys	svch0st.exe
File created	C:\Windows\SysWOW64\vook.sys	svch0st.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\bwaw.dll	svch0st.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
3232	svch0st.exe
3140	qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3040	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	82
PID 3136 wrote to memory of 3040	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	82
PID 3136 wrote to memory of 3040	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	82
PID 3136 wrote to memory of 3140	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	83
PID 3136 wrote to memory of 3140	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	83
PID 3136 wrote to memory of 3140	3136	0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe	83
PID 3040 wrote to memory of 3232	3040	real.exe	85
PID 3040 wrote to memory of 3232	3040	real.exe	85
PID 3040 wrote to memory of 3232	3040	real.exe	85
PID 3040 wrote to memory of 4640	3040	real.exe	84
PID 3040 wrote to memory of 4640	3040	real.exe	84
PID 3040 wrote to memory of 4640	3040	real.exe	84
PID 3232 wrote to memory of 8	3232	svch0st.exe	86
PID 3232 wrote to memory of 8	3232	svch0st.exe	86
PID 3232 wrote to memory of 8	3232	svch0st.exe	86
PID 8 wrote to memory of 3704	8	cmd.exe	88
PID 8 wrote to memory of 3704	8	cmd.exe	88
PID 8 wrote to memory of 3704	8	cmd.exe	88
PID 3704 wrote to memory of 832	3704	rundll32.exe	89
PID 3704 wrote to memory of 832	3704	rundll32.exe	89
PID 3704 wrote to memory of 832	3704	rundll32.exe	89
PID 832 wrote to memory of 5100	832	runonce.exe	91
PID 832 wrote to memory of 5100	832	runonce.exe	91
PID 832 wrote to memory of 5100	832	runonce.exe	91

C:\Users\Admin\AppData\Local\Temp\0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe
"C:\Users\Admin\AppData\Local\Temp\0974af704b831f09b06aa551eb3e1306a3b68b9c14fee40fa3c7dc0b5d6cfd54.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\real.exe
  "C:\Users\Admin\AppData\Local\Temp\real.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\tem.exe
    "C:\Users\Admin\AppData\Local\Temp\tem.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4640
- - C:\Users\Admin\AppData\Local\Temp\svch0st.exe
    "C:\Users\Admin\AppData\Local\Temp\svch0st.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c _wpcap_.bat
      4⤵
      Drops file in Drivers directory
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:5100
- C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe
  "C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UserTemp.dll

Filesize
56KB

MD5
e8a0472f5e9c72a63ef2413fb1d8f643

SHA1
3c3c04711ee2b422a9e210e5b741cc7d9c68d026

SHA256
9bdfd7507b5217818bc725853bafd887c7d09c1a1ba5b8659e918ad1c50119de

SHA512
23c34097328f534bbf57b361158b83e317b3f3126b62e76b01b870887436c6707a91c45671272f94d391a51a96f692c5da6b3b8990c4db1c5e53e24b28e57eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.bat

Filesize
159B

MD5
372f15133b73a0e987967b10e2831c99

SHA1
e316a79fb7710fd025a92b4a729eb5673dc76abe

SHA256
af40c90cae9231d22eb0aa8b65c1326c5e025bde495804356dc1786fb0252d2b

SHA512
1aedd6c4deddcfa28e091f55f03944da7f90a5252b1b535d2a446c4cdbe06117575c5e34326b2042b0c54ad045ebe01ed848e2509e0d8ec38a5429c233a6565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_wpcap_.inf

Filesize
216B

MD5
f70ffd2ad84beff11224c979d680c39c

SHA1
ac253f1e7c600b837100b82ff27b7e3fb45b9ec6

SHA256
e1789abdf113497512319ae9ace50c4f7ebea905e7bfab302dc77351cf0ddc76

SHA512
3c627a1f04e2444acf78c2e763a589b0e10d058881e398dca50e57a6882f1c1a453283cf03c9e058ede6db4240658261a10a702af5e1a2ce13c3148ec5663477

Download Submit
C:\Users\Admin\AppData\Local\Temp\npf.sys

Filesize
31KB

MD5
d21fee8db254ba762656878168ac1db6

SHA1
a394b1bc33a3c678e4b6b3c55373468e6afa7b28

SHA256
3694aa2145af617c47a7b506bd3d22824659ca3bf1680d220892cac4bd0fc846

SHA512
c6e366be16e5614313c8ec394cbeda11df8cd57726fec2249db5d7d0f4266a38e2bc7873b9ea38e820bdf96e6e14619d9e6f2092dcbed4932389ec89bd0c2204

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Filesize
131KB

MD5
2635509cd067a0fd64669124ffd044bc

SHA1
256087ef39efac57959542d4ae75282b3def1879

SHA256
db09d660280c58b0353843e760b59d81a55870c3ab520626b683be56276595ee

SHA512
2938d6b5a96ab7f5ff7b7a180d268f57f7b07ebe4a1dd91e012be5b36aa443af94785b308b7537bc45bdb708cc16d9f73c9e61322ee912b958c430f266023c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqËÄ¹ú¾üÆå2ÈËË¢v1.8.4.exe

Filesize
131KB

MD5
2635509cd067a0fd64669124ffd044bc

SHA1
256087ef39efac57959542d4ae75282b3def1879

SHA256
db09d660280c58b0353843e760b59d81a55870c3ab520626b683be56276595ee

SHA512
2938d6b5a96ab7f5ff7b7a180d268f57f7b07ebe4a1dd91e012be5b36aa443af94785b308b7537bc45bdb708cc16d9f73c9e61322ee912b958c430f266023c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel5592.tmp

Filesize
273KB

MD5
ba40eaba3bf9aa79295506b7f1b2235e

SHA1
7cd2a220b88831034546fdbe0c9e2c1fe4cf0e9b

SHA256
3c5b37d57a3416e3c9af83d41eca2bf035399a36f5da9e4207083c2da84c2bba

SHA512
84b5b3bfeb07e00ed1c50ea32c6fc7eafb6f12ced4aa17919e17ec087a1f63a8ceb4f007e794b1920719927bc1a271a4e5d56a9c8c2137301144fcd5c6bd6bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svch0st.exe

Filesize
120KB

MD5
8dc50fbe6781238e5dfa16691bc13149

SHA1
525fc6ce388850c7ca8117cedc91c823e90573f4

SHA256
5b77c31dc0754feb083c6b2a99a9eb4ebe29d751209509a21113ce09d9f3c2fc

SHA512
cb993ece1b88e54e0ebba61ccd04bdec847958c2106dab5cd4c481915c3975f172690331ba8d5b668ddd9945a1a1929f2ff5ad356da280012cc8ea701403a3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.exe

Filesize
25KB

MD5
bbc43447dfb941aaf22201c21b5cfd18

SHA1
a96dcfded13ad03cd4f28dcf54b2c00a866df1e5

SHA256
cac2824745aef60cf3a998bb3317df9cb018fc9061ac19c762a774af3004b8c3

SHA512
df52813362f24fde43c4a7c5d18225cca601c5fbfee0c17801098abdca886b1864e3c38bd6f3ac28a4bed5bf69b4879b8f86fb418e1335eb39d3f5bf84489e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.exe

Filesize
25KB

MD5
bbc43447dfb941aaf22201c21b5cfd18

SHA1
a96dcfded13ad03cd4f28dcf54b2c00a866df1e5

SHA256
cac2824745aef60cf3a998bb3317df9cb018fc9061ac19c762a774af3004b8c3

SHA512
df52813362f24fde43c4a7c5d18225cca601c5fbfee0c17801098abdca886b1864e3c38bd6f3ac28a4bed5bf69b4879b8f86fb418e1335eb39d3f5bf84489e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\usertemp.dll

Filesize
56KB

MD5
e8a0472f5e9c72a63ef2413fb1d8f643

SHA1
3c3c04711ee2b422a9e210e5b741cc7d9c68d026

SHA256
9bdfd7507b5217818bc725853bafd887c7d09c1a1ba5b8659e918ad1c50119de

SHA512
23c34097328f534bbf57b361158b83e317b3f3126b62e76b01b870887436c6707a91c45671272f94d391a51a96f692c5da6b3b8990c4db1c5e53e24b28e57eff

Download Submit
C:\Windows\bwaw.dll

Filesize
36KB

MD5
3588fb3313d5d6ab7a055dc42790db0a

SHA1
1adbbca1521e72a6ab096ddfd31f4918139b9fa3

SHA256
08ed46ec794adce770e9783fc431c8322b3dda40d97158dc5d463b4591581d32

SHA512
332fdfdfcc6f3faf2746e72901d73c8302b60dc8d1bd5d794be82b72819c65c727e288442f2d40867ccf1f3c8aefcbd2bc2a8451fb8efcd4fda02b65fff4bda0

Download Submit
C:\Windows\bwaw.dll

Filesize
36KB

MD5
3588fb3313d5d6ab7a055dc42790db0a

SHA1
1adbbca1521e72a6ab096ddfd31f4918139b9fa3

SHA256
08ed46ec794adce770e9783fc431c8322b3dda40d97158dc5d463b4591581d32

SHA512
332fdfdfcc6f3faf2746e72901d73c8302b60dc8d1bd5d794be82b72819c65c727e288442f2d40867ccf1f3c8aefcbd2bc2a8451fb8efcd4fda02b65fff4bda0

Download Submit
C:\Windows\bwaw.dll

Filesize
36KB

MD5
3588fb3313d5d6ab7a055dc42790db0a

SHA1
1adbbca1521e72a6ab096ddfd31f4918139b9fa3

SHA256
08ed46ec794adce770e9783fc431c8322b3dda40d97158dc5d463b4591581d32

SHA512
332fdfdfcc6f3faf2746e72901d73c8302b60dc8d1bd5d794be82b72819c65c727e288442f2d40867ccf1f3c8aefcbd2bc2a8451fb8efcd4fda02b65fff4bda0

Download Submit
memory/3040-140-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3040-146-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/3040-149-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/3040-157-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3136-132-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3136-155-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3140-167-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3140-168-0x0000000002550000-0x0000000002570000-memory.dmp

Filesize
128KB

Download
memory/3140-145-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3140-174-0x0000000002550000-0x0000000002570000-memory.dmp

Filesize
128KB

Download
memory/3232-158-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3232-148-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3232-173-0x00000000005E0000-0x0000000000600000-memory.dmp

Filesize
128KB

Download
memory/3232-160-0x00000000005E0000-0x0000000000600000-memory.dmp

Filesize
128KB

Download
memory/3232-159-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/3232-172-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/4640-151-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/4640-153-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/4640-154-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4640-147-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads