Analysis
-
max time kernel
153s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 20:05
Static task
static1
Behavioral task
behavioral1
Sample
ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
Resource
win10v2004-20221111-en
General
-
Target
ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
-
Size
148KB
-
MD5
c5820d40fb2150b2a5d6c882a7837d24
-
SHA1
77996ce5801aff8229a6df7a4e1a30b82a7925af
-
SHA256
ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675
-
SHA512
2b12b55f9a4567e185dde5d07e4d962e86303680524b2754603b7e5ee4a5fe662c005c19a44af1ad0aecafac12495eb9b6a86a9881df90578a18fe92d54ea7b1
-
SSDEEP
3072:Xz4Y57AxLliwriYXbg3HqNwiQwqEJueXsjIWlrOxQCi0uXJObT:D4Y5kxxriUSKCCJuss0W8xQCi0aC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe" ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe -
Executes dropped EXE 1 IoCs
pid Process 2012 qxaclyj.exe -
resource yara_rule behavioral2/files/0x0006000000022e20-137.dat upx behavioral2/memory/2012-138-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/files/0x0006000000022e20-139.dat upx behavioral2/memory/2012-140-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\qxaclyj.exe \\u" ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\userdiff.sav ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe File opened for modification C:\Windows\SysWOW64\userdiff.sav qxaclyj.exe File opened for modification C:\Windows\SysWOW64\userdiff.sav ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4724 set thread context of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 2012 set thread context of 3628 2012 qxaclyj.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3608 3628 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 4724 wrote to memory of 3380 4724 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 80 PID 3380 wrote to memory of 2012 3380 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 83 PID 3380 wrote to memory of 2012 3380 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 83 PID 3380 wrote to memory of 2012 3380 ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe 83 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86 PID 2012 wrote to memory of 3628 2012 qxaclyj.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\qxaclyj.exe\u3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2725⤵
- Program crash
PID:3608
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5470.bat" "3⤵PID:3092
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3380 -ip 33801⤵PID:4920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3628 -ip 36281⤵PID:4320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD5f7e25f65dfa5c9f372729acbb03b036b
SHA15c0eb57b638a81c60a7624f76862b519b989843e
SHA256f1aeef1c07f9561615c99f57f188a8ae5964c5bb3b595e8cbda9b8c0ac558e3b
SHA512bec9d148076a3450ef010a455671e125e0ce882fb83869b94c1a62413e5d556e9923363d273e49e966bae5ca1afacb244424950e5e2ee0c1af8a9f663b42e779
-
Filesize
33KB
MD57f18d543029468ba18b55e70fdf253c5
SHA19d9337e9b559a39367e9a0a6198b3499ed515628
SHA25667be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f
SHA5121608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd
-
Filesize
33KB
MD57f18d543029468ba18b55e70fdf253c5
SHA19d9337e9b559a39367e9a0a6198b3499ed515628
SHA25667be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f
SHA5121608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd
-
Filesize
46KB
MD56e37fc0c339262aa757ea92ac1c79803
SHA1045ffedabd78edcd547109783b05aa0d26c774bf
SHA2561b9391ecbb9ae0d5301892eb3c0ea708e88c7aa19cad4eb4675d3eeb8907b6ec
SHA512d1d1237ef0edb7526ac72e7321ba1989f7283bc5d5cdc4638086acad137f96d080805a4c4bf82bbd21740a9e6418fdd7984a6df48731ac7809538b732f5a3c9a