9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59

Analysis

max time kernel
141s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe
Size

670KB
MD5

cc58c1a971be99b7b03cde435d377d56
SHA1

0f13bf927765ed9bbe4416a92f27d407e22082d3
SHA256

9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59
SHA512

cf17af3fbdf4110c081af1146fd3126500f4cba8bed6cdf7eaf2de7a6f67c83b7535e87a9c2615062ec911eec11f142b8f16374866c983a3e375c05486de10ae
SSDEEP

12288:VUYjH5A2hCvNMDVWrruKETvEcju1klaGChlY4vZAXMYnrog:VUYjHn3p2EBS14HfXrr

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000b000000022e0d-133.dat	aspack_v212_v242
behavioral2/files/0x000b000000022e0d-134.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1556	dnfÅùö¨0511.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4748	1556	WerFault.exe	80

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1556	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	80
PID 4668 wrote to memory of 1556	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	80
PID 4668 wrote to memory of 1556	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	80
PID 4668 wrote to memory of 4328	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	82
PID 4668 wrote to memory of 4328	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	82
PID 4668 wrote to memory of 4328	4668	9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe	82

C:\Users\Admin\AppData\Local\Temp\9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe
"C:\Users\Admin\AppData\Local\Temp\9a766281ff513c7fdb49bad61fa231b0df56e0cf619c96277aff89068ae14c59.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\dnfÅùö¨0511.exe
  "C:\Users\Admin\AppData\Local\Temp\dnfÅùö¨0511.exe"
  2⤵
  - Executes dropped EXE
  PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 224
    3⤵
    - Program crash
    PID:4748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dnf.vbs"
  2⤵
  - Checks computer location settings
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1556 -ip 1556
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dnf.vbs

Filesize
3KB

MD5
2e6fea48a5b6fa1bcbf5b84f5486db6d

SHA1
9ff234b31c1862ac7cabb929fc42bcd63c12791b

SHA256
23382c58adf779514f8e43d308cc70805130c02e0650aa46c9cd7f0595120bf5

SHA512
f68b585f131618b45140134620ebdcbddd94b4d69d6967f7797853174c411c114c8bf838a450ea1637f80c531258c7fbd9e8837b876812ac1e351184fc763f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfÅùö¨0511.exe

Filesize
700KB

MD5
8c8504f26205318c0499eb30c03e43b8

SHA1
bc32a8a6cac9f6091d41ff90d5ee1c22862e3c26

SHA256
33fc27d28881edb39f65f48bac9a87e77335647f34f581b20795e75d81984005

SHA512
8e471c05d6728610e008690c357eec82960b700f4396c41b90c76a94097535a1b720f400437284002be4a988cc14c40a0c682e2fa3295ba575fbb9b102a1685d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfÅùö¨0511.exe

Filesize
700KB

MD5
8c8504f26205318c0499eb30c03e43b8

SHA1
bc32a8a6cac9f6091d41ff90d5ee1c22862e3c26

SHA256
33fc27d28881edb39f65f48bac9a87e77335647f34f581b20795e75d81984005

SHA512
8e471c05d6728610e008690c357eec82960b700f4396c41b90c76a94097535a1b720f400437284002be4a988cc14c40a0c682e2fa3295ba575fbb9b102a1685d

Download Submit
memory/1556-132-0x0000000000000000-mapping.dmp

Download
memory/1556-137-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download
memory/4328-135-0x0000000000000000-mapping.dmp

Download