Analysis

  • max time kernel
    153s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 20:05

General

  • Target

    ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe

  • Size

    148KB

  • MD5

    c5820d40fb2150b2a5d6c882a7837d24

  • SHA1

    77996ce5801aff8229a6df7a4e1a30b82a7925af

  • SHA256

    ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675

  • SHA512

    2b12b55f9a4567e185dde5d07e4d962e86303680524b2754603b7e5ee4a5fe662c005c19a44af1ad0aecafac12495eb9b6a86a9881df90578a18fe92d54ea7b1

  • SSDEEP

    3072:Xz4Y57AxLliwriYXbg3HqNwiQwqEJueXsjIWlrOxQCi0uXJObT:D4Y5kxxriUSKCCJuss0W8xQCi0aC

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
    "C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
      "C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Users\Admin\qxaclyj.exe
        \u
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
            PID:3628
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 272
              5⤵
              • Program crash
              PID:3608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5470.bat" "
          3⤵
            PID:3092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3380 -ip 3380
        1⤵
          PID:4920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3628 -ip 3628
          1⤵
            PID:4320

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\5470.bat

            Filesize

            135B

            MD5

            f7e25f65dfa5c9f372729acbb03b036b

            SHA1

            5c0eb57b638a81c60a7624f76862b519b989843e

            SHA256

            f1aeef1c07f9561615c99f57f188a8ae5964c5bb3b595e8cbda9b8c0ac558e3b

            SHA512

            bec9d148076a3450ef010a455671e125e0ce882fb83869b94c1a62413e5d556e9923363d273e49e966bae5ca1afacb244424950e5e2ee0c1af8a9f663b42e779

          • C:\Users\Admin\qxaclyj.exe

            Filesize

            33KB

            MD5

            7f18d543029468ba18b55e70fdf253c5

            SHA1

            9d9337e9b559a39367e9a0a6198b3499ed515628

            SHA256

            67be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f

            SHA512

            1608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd

          • C:\Users\Admin\qxaclyj.exe

            Filesize

            33KB

            MD5

            7f18d543029468ba18b55e70fdf253c5

            SHA1

            9d9337e9b559a39367e9a0a6198b3499ed515628

            SHA256

            67be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f

            SHA512

            1608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd

          • C:\Windows\SysWOW64\userdiff.sav

            Filesize

            46KB

            MD5

            6e37fc0c339262aa757ea92ac1c79803

            SHA1

            045ffedabd78edcd547109783b05aa0d26c774bf

            SHA256

            1b9391ecbb9ae0d5301892eb3c0ea708e88c7aa19cad4eb4675d3eeb8907b6ec

            SHA512

            d1d1237ef0edb7526ac72e7321ba1989f7283bc5d5cdc4638086acad137f96d080805a4c4bf82bbd21740a9e6418fdd7984a6df48731ac7809538b732f5a3c9a

          • memory/2012-136-0x0000000000000000-mapping.dmp

          • memory/2012-138-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/2012-140-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/2012-141-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/2012-148-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

          • memory/3092-151-0x0000000000000000-mapping.dmp

          • memory/3380-135-0x0000000000400000-0x0000000000419000-memory.dmp

            Filesize

            100KB

          • memory/3380-132-0x0000000000000000-mapping.dmp

          • memory/3380-152-0x0000000000400000-0x0000000000419000-memory.dmp

            Filesize

            100KB

          • memory/3380-133-0x0000000000400000-0x0000000000419000-memory.dmp

            Filesize

            100KB

          • memory/3628-143-0x0000000000000000-mapping.dmp

          • memory/3628-144-0x0000000009900000-0x000000000990E000-memory.dmp

            Filesize

            56KB