Analysis
-
max time kernel
150s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
Resource
win10v2004-20220812-en
General
-
Target
83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
-
Size
2.6MB
-
MD5
8f30495351188a6fdd3da179691e6a97
-
SHA1
dfbfb496f2f7662eea3c9d88e398995864449c0f
-
SHA256
83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838
-
SHA512
68fce63f11ca17872944732fa1ef19ab056b87fd018affb4902477d3cc0f873dc0a28a22f5b693779a425b118bf581fa60e78bfbc879f7814d2164cd5afdd9cb
-
SSDEEP
49152:puiDR7ztcKayMNSe6jgzcbQb1Yj4qtEhxDEC/POVpa9L/ZXk9Dea7c6qmub:pR5payMNSXA76Jqx//2K9L0yaQTmub
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4900 MediaXCodec.exe 4852 RegSupreme Pro 1.7.0.416.exe 2064 is-2E9S0.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run MediaXCodec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Player.exe" MediaXCodec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3088 wrote to memory of 4900 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 81 PID 3088 wrote to memory of 4900 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 81 PID 3088 wrote to memory of 4900 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 81 PID 3088 wrote to memory of 4852 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 82 PID 3088 wrote to memory of 4852 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 82 PID 3088 wrote to memory of 4852 3088 83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe 82 PID 4852 wrote to memory of 2064 4852 RegSupreme Pro 1.7.0.416.exe 85 PID 4852 wrote to memory of 2064 4852 RegSupreme Pro 1.7.0.416.exe 85 PID 4852 wrote to memory of 2064 4852 RegSupreme Pro 1.7.0.416.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe"C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe"C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe"C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp"C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp" /SL4 $D003E "C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe" 2429367 527363⤵
- Executes dropped EXE
PID:2064
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD584c0684dccac225bbc8b037505430c31
SHA1bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec
SHA2568e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4
SHA512a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4
-
Filesize
14KB
MD584c0684dccac225bbc8b037505430c31
SHA1bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec
SHA2568e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4
SHA512a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4
-
Filesize
2.5MB
MD57cd42a624a678a23204baeb903d94a47
SHA19d58ee33932fa0d13c41f98fd01b41538e60ffef
SHA256d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7
SHA51283bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6
-
Filesize
2.5MB
MD57cd42a624a678a23204baeb903d94a47
SHA19d58ee33932fa0d13c41f98fd01b41538e60ffef
SHA256d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7
SHA51283bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6
-
Filesize
658KB
MD5f627721a34c13a5307779a498e8f6519
SHA19e54ec07e780eb1ccbbd61bb1a24238e46c01e18
SHA25613c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348
SHA512c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc
-
Filesize
658KB
MD5f627721a34c13a5307779a498e8f6519
SHA19e54ec07e780eb1ccbbd61bb1a24238e46c01e18
SHA25613c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348
SHA512c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc