f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
Size

862KB
MD5

cd7e9b5111458499d41e826570063934
SHA1

af0abe3a529372e19bf9b885b6d78ad570adb6ad
SHA256

f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe
SHA512

103a33b54cadf3ae2cfd79da51ae1b06d941533b3f00da88d116906b6de30b7cdfa7911bcda9db927e9f589c85c4c813a6a82c6b973cc162c1f04eb912bbb702
SSDEEP

12288:M1UKTfrUxJcYNsYNmErJEVLQDuPZDmCHn74hIQJiykExPKfhzJmnb8cxdaz6T:M1bfrssimBVL7PZ5Hn7JbykExP80DxdR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
792	pzp9A60.tmp
4764	pzp9ABE.tmp
1368	temp.exe
1044	É±¶¾×é¼þ.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	pzp9ABE.tmp

Loads dropped DLL 4 IoCs

pid	Process
1044	É±¶¾×é¼þ.com
1044	É±¶¾×é¼þ.com
1044	É±¶¾×é¼þ.com
1044	É±¶¾×é¼þ.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\XRHLQR.DAT	temp.exe
File created	C:\Windows\MDOCQT.DAT	temp.exe
File created	C:\Windows\É±¶¾×é¼þ.com	temp.exe
File opened for modification	C:\Windows\É±¶¾×é¼þ.com	temp.exe
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
792	pzp9A60.tmp
4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	temp.exe
Token: SeDebugPrivilege	1044	É±¶¾×é¼þ.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1044	É±¶¾×é¼þ.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1044	É±¶¾×é¼þ.com
1044	É±¶¾×é¼þ.com
1044	É±¶¾×é¼þ.com

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 792	4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe	81
PID 4732 wrote to memory of 792	4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe	81
PID 4732 wrote to memory of 792	4732	f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe	81
PID 792 wrote to memory of 4764	792	pzp9A60.tmp	82
PID 792 wrote to memory of 4764	792	pzp9A60.tmp	82
PID 792 wrote to memory of 4764	792	pzp9A60.tmp	82
PID 4764 wrote to memory of 1368	4764	pzp9ABE.tmp	84
PID 4764 wrote to memory of 1368	4764	pzp9ABE.tmp	84
PID 4764 wrote to memory of 1368	4764	pzp9ABE.tmp	84
PID 1044 wrote to memory of 2188	1044	É±¶¾×é¼þ.com	86
PID 1044 wrote to memory of 2188	1044	É±¶¾×é¼þ.com	86
PID 1368 wrote to memory of 3532	1368	temp.exe	87
PID 1368 wrote to memory of 3532	1368	temp.exe	87
PID 1368 wrote to memory of 3532	1368	temp.exe	87

C:\Users\Admin\AppData\Local\Temp\f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe
"C:\Users\Admin\AppData\Local\Temp\f15e64c4d435eca5545d65d7e0f6db367c1c669b845000a23a6c4ce6ed938cfe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\pzp9A60.tmp
  "C:\Users\Admin\AppData\Local\Temp\pzp9A60.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\pzp9ABE.tmp
    "C:\Users\Admin\AppData\Local\Temp\pzp9ABE.tmp"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        5⤵
        
        PID:3532

C:\Windows\É±¶¾×é¼þ.com
C:\Windows\É±¶¾×é¼þ.com
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pzp9A60.tmp

Filesize
842KB

MD5
0641e8453a7174dfb89e716c29d646b6

SHA1
a73cde1359d9862a0c23c9fca8eefe511821486c

SHA256
f1d5c32d26e8a93933bc2a73d67dd748e0d7d7be04847c23ad3827bc0ea2500e

SHA512
d54bcd4505f98becb231f7f9d769866d1e29ac908e4c7006285b3e0a3434e487dbac97f3fd841d9dd6eb6714fd8d843a66aaac093f9c55af9e5077fa760e2e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzp9A60.tmp

Filesize
842KB

MD5
0641e8453a7174dfb89e716c29d646b6

SHA1
a73cde1359d9862a0c23c9fca8eefe511821486c

SHA256
f1d5c32d26e8a93933bc2a73d67dd748e0d7d7be04847c23ad3827bc0ea2500e

SHA512
d54bcd4505f98becb231f7f9d769866d1e29ac908e4c7006285b3e0a3434e487dbac97f3fd841d9dd6eb6714fd8d843a66aaac093f9c55af9e5077fa760e2e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzp9ABE.tmp

Filesize
814KB

MD5
a6d933478192b45fa1310962796f8c3b

SHA1
c995de52f4509048ee60b2f9a38fb5288046d630

SHA256
64e900b9c8768d600dc25845d52742a9523be7b9d844c506dd6b5736776b3058

SHA512
bbcd8e0e7f8962d9c9efbcdedfb60ab8d74f5108e87f025c13ef43b8fc43d5419ec8ebf610996eb928ed9a9958aaa09fc967fe8cf043254afc1f9e96d4960bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzp9ABE.tmp

Filesize
814KB

MD5
a6d933478192b45fa1310962796f8c3b

SHA1
c995de52f4509048ee60b2f9a38fb5288046d630

SHA256
64e900b9c8768d600dc25845d52742a9523be7b9d844c506dd6b5736776b3058

SHA512
bbcd8e0e7f8962d9c9efbcdedfb60ab8d74f5108e87f025c13ef43b8fc43d5419ec8ebf610996eb928ed9a9958aaa09fc967fe8cf043254afc1f9e96d4960bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
298KB

MD5
93aa9bb57b9edb1f965feefa6091e9ab

SHA1
ffaef35b1876ce4cdcda93bdf80ae4c993cadf3a

SHA256
53c9712e71b0ee5261d996fbfcb48b842b7df730228e404ec5b31a5fdb949c3b

SHA512
bfdbab1a7fa35cdb3d7123ad6f2d1d805c5d0e3f475ffbe0742d2da3620d2dd43b4881c5b9662d46d96a1158af0a5e95e306e559c017d001e2568bc8e3bcdb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
298KB

MD5
93aa9bb57b9edb1f965feefa6091e9ab

SHA1
ffaef35b1876ce4cdcda93bdf80ae4c993cadf3a

SHA256
53c9712e71b0ee5261d996fbfcb48b842b7df730228e404ec5b31a5fdb949c3b

SHA512
bfdbab1a7fa35cdb3d7123ad6f2d1d805c5d0e3f475ffbe0742d2da3620d2dd43b4881c5b9662d46d96a1158af0a5e95e306e559c017d001e2568bc8e3bcdb1f

Download Submit
C:\Windows\MDOCQT.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\MDOCQT.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\MDOCQT.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\XRHLQR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\XRHLQR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\XRHLQR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
C:\Windows\É±¶¾×é¼þ.com

Filesize
298KB

MD5
93aa9bb57b9edb1f965feefa6091e9ab

SHA1
ffaef35b1876ce4cdcda93bdf80ae4c993cadf3a

SHA256
53c9712e71b0ee5261d996fbfcb48b842b7df730228e404ec5b31a5fdb949c3b

SHA512
bfdbab1a7fa35cdb3d7123ad6f2d1d805c5d0e3f475ffbe0742d2da3620d2dd43b4881c5b9662d46d96a1158af0a5e95e306e559c017d001e2568bc8e3bcdb1f

Download Submit
C:\Windows\É±¶¾×é¼þ.com

Filesize
298KB

MD5
93aa9bb57b9edb1f965feefa6091e9ab

SHA1
ffaef35b1876ce4cdcda93bdf80ae4c993cadf3a

SHA256
53c9712e71b0ee5261d996fbfcb48b842b7df730228e404ec5b31a5fdb949c3b

SHA512
bfdbab1a7fa35cdb3d7123ad6f2d1d805c5d0e3f475ffbe0742d2da3620d2dd43b4881c5b9662d46d96a1158af0a5e95e306e559c017d001e2568bc8e3bcdb1f

Download Submit
memory/1044-155-0x00000000017F0000-0x0000000001802000-memory.dmp

Filesize
72KB

Download
memory/1044-151-0x00000000016C0000-0x00000000016D3000-memory.dmp

Filesize
76KB

Download
memory/4764-138-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/4764-145-0x00000000005B0000-0x0000000000604000-memory.dmp

Filesize
336KB

Download
memory/4764-144-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/4764-140-0x0000000003230000-0x0000000003234000-memory.dmp

Filesize
16KB

Download
memory/4764-139-0x00000000005B0000-0x0000000000604000-memory.dmp

Filesize
336KB

Download