e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94

Analysis

max time kernel
132s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe
Size

144KB
MD5

2deac6df42de274bde60b5123b2afec8
SHA1

3b6f16aa239bb3513fc75804b09d74d084c1d36e
SHA256

e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94
SHA512

0183a0151252d0c2c101bef0ada785d905470bb65aedcfe6535d0aad4c96688eb02cfac1a3958f3a868d21058c987f202d1a98278d74fd67fa8f065844a6e15a
SSDEEP

3072:2YIbWLzK+2k7E3Kp1zoutmjN4pPrJLCsV45n4pkHOCEipbM17rQuYVkQ:Bvfn7E3KpVoSqqrQsV4pajipQ1An

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4896	u101.exe
4508	install.exe
4532	u4576.exe
3052	u13769.exe
872	u7241.exe
5072	u36942.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2820-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0006000000022e3a-137.dat	upx
behavioral2/files/0x0006000000022e3a-138.dat	upx
behavioral2/memory/4508-139-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2820-140-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4508-141-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0006000000022e3f-150.dat	upx
behavioral2/files/0x0006000000022e3f-149.dat	upx
behavioral2/memory/872-156-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4508-158-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/872-159-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/872-160-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	u36942.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4740	4532	WerFault.exe	80
4912	3052	WerFault.exe	82
2812	5072	WerFault.exe	86

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
872	u7241.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4896	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	78
PID 2820 wrote to memory of 4896	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	78
PID 2820 wrote to memory of 4896	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	78
PID 2820 wrote to memory of 4508	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	79
PID 2820 wrote to memory of 4508	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	79
PID 2820 wrote to memory of 4508	2820	e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe	79
PID 4508 wrote to memory of 4532	4508	install.exe	80
PID 4508 wrote to memory of 4532	4508	install.exe	80
PID 4508 wrote to memory of 4532	4508	install.exe	80
PID 4508 wrote to memory of 3052	4508	install.exe	82
PID 4508 wrote to memory of 3052	4508	install.exe	82
PID 4508 wrote to memory of 3052	4508	install.exe	82
PID 4508 wrote to memory of 872	4508	install.exe	85
PID 4508 wrote to memory of 872	4508	install.exe	85
PID 4508 wrote to memory of 872	4508	install.exe	85
PID 4508 wrote to memory of 5072	4508	install.exe	86
PID 4508 wrote to memory of 5072	4508	install.exe	86
PID 4508 wrote to memory of 5072	4508	install.exe	86
PID 5072 wrote to memory of 4928	5072	u36942.exe	89
PID 5072 wrote to memory of 4928	5072	u36942.exe	89
PID 5072 wrote to memory of 4928	5072	u36942.exe	89

C:\Users\Admin\AppData\Local\Temp\e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe
"C:\Users\Admin\AppData\Local\Temp\e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\u101.exe
  "C:\Users\Admin\AppData\Local\Temp\u101.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe" i
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\u4576.exe
    "C:\Users\Admin\AppData\Local\Temp\u4576.exe"
    3⤵
    - Executes dropped EXE
    PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 360
      4⤵
      Program crash
      PID:4740
- - C:\Users\Admin\AppData\Local\Temp\u13769.exe
    "C:\Users\Admin\AppData\Local\Temp\u13769.exe"
    3⤵
    - Executes dropped EXE
    PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 260
      4⤵
      Program crash
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\u7241.exe
    "C:\Users\Admin\AppData\Local\Temp\u7241.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\u36942.exe
    "C:\Users\Admin\AppData\Local\Temp\u36942.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\u36942.exe > nul
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1340
      4⤵
      Program crash
      PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4532 -ip 4532
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3052 -ip 3052
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5072 -ip 5072
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
144KB

MD5
2deac6df42de274bde60b5123b2afec8

SHA1
3b6f16aa239bb3513fc75804b09d74d084c1d36e

SHA256
e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94

SHA512
0183a0151252d0c2c101bef0ada785d905470bb65aedcfe6535d0aad4c96688eb02cfac1a3958f3a868d21058c987f202d1a98278d74fd67fa8f065844a6e15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
144KB

MD5
2deac6df42de274bde60b5123b2afec8

SHA1
3b6f16aa239bb3513fc75804b09d74d084c1d36e

SHA256
e886ecca51b2419578347dd45c2073ee84514b685aced5855cb6c0d732dace94

SHA512
0183a0151252d0c2c101bef0ada785d905470bb65aedcfe6535d0aad4c96688eb02cfac1a3958f3a868d21058c987f202d1a98278d74fd67fa8f065844a6e15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u101.exe

Filesize
28KB

MD5
4544a95ffeb8a8e799f733544959dbb1

SHA1
ddd332e665c3e3d5bd63c64b5f04a712dc539047

SHA256
f4bb60833674d9302a799cab7ddbbc010bbc126dcd58c0ca08eb0579b292d03d

SHA512
6cc81fae2a7f33fb650d2011aadf03ec41bbbfc644e26d9a951e9a742bdb3bfb46f33e80a9e67f415151b02f504ed73fc881741b9383d32b1185138521b83d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\u101.exe

Filesize
28KB

MD5
4544a95ffeb8a8e799f733544959dbb1

SHA1
ddd332e665c3e3d5bd63c64b5f04a712dc539047

SHA256
f4bb60833674d9302a799cab7ddbbc010bbc126dcd58c0ca08eb0579b292d03d

SHA512
6cc81fae2a7f33fb650d2011aadf03ec41bbbfc644e26d9a951e9a742bdb3bfb46f33e80a9e67f415151b02f504ed73fc881741b9383d32b1185138521b83d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\u13769.exe

Filesize
5KB

MD5
3c950a3f25abac15b25e29091a4aca2a

SHA1
e0a392c71e0e3482a531fd53569d91451e2ed4e1

SHA256
a43fe8099890d4bd5533659f5533fc1f81ab4da29960a0830f62d33a4e295ab6

SHA512
c7a6512185aca8ac3b56bf81dbcb9aea51aded197ee8dc6e9ba0e39092b80837017d583b75a0854760b61cc6abc4f23b3041f5c1726f71007024a743d10ca932

Download Submit
C:\Users\Admin\AppData\Local\Temp\u13769.exe

Filesize
5KB

MD5
3c950a3f25abac15b25e29091a4aca2a

SHA1
e0a392c71e0e3482a531fd53569d91451e2ed4e1

SHA256
a43fe8099890d4bd5533659f5533fc1f81ab4da29960a0830f62d33a4e295ab6

SHA512
c7a6512185aca8ac3b56bf81dbcb9aea51aded197ee8dc6e9ba0e39092b80837017d583b75a0854760b61cc6abc4f23b3041f5c1726f71007024a743d10ca932

Download Submit
C:\Users\Admin\AppData\Local\Temp\u36942.exe

Filesize
7KB

MD5
014ce9aaa9948acdb22453be50f4d665

SHA1
a79e1555e204df2efcec7471c5e9bbfb2213061d

SHA256
1f31152faecd96ce02d17a0e2653629db440fa6604440dcaaac1c668f16023d9

SHA512
fd767b9367aeaa2149d574780e7df05f7c91245b4d063dcfd14b7b38cdd11fc1c753865cea2c478822e89c55a0a4dde43608d7bb5b68dcd0301c6213747d0b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\u36942.exe

Filesize
7KB

MD5
014ce9aaa9948acdb22453be50f4d665

SHA1
a79e1555e204df2efcec7471c5e9bbfb2213061d

SHA256
1f31152faecd96ce02d17a0e2653629db440fa6604440dcaaac1c668f16023d9

SHA512
fd767b9367aeaa2149d574780e7df05f7c91245b4d063dcfd14b7b38cdd11fc1c753865cea2c478822e89c55a0a4dde43608d7bb5b68dcd0301c6213747d0b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4576.exe

Filesize
55KB

MD5
f02a2767754712df75f6778a6fac0cd3

SHA1
ef0cf5148aefabe7273329d3d98ed8c958543640

SHA256
374659cca60cbc229d09158441523d9f35271c2537ec0306a94110702061ba27

SHA512
3a5ac733b5101576bd4fc022f7fcc63d1c53bd3bc971c5117c112b119dbd0b55d2028960f4ee821353fd11d0b96fb2ff473b25de61f57b815f457bac447c1215

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4576.exe

Filesize
55KB

MD5
f02a2767754712df75f6778a6fac0cd3

SHA1
ef0cf5148aefabe7273329d3d98ed8c958543640

SHA256
374659cca60cbc229d09158441523d9f35271c2537ec0306a94110702061ba27

SHA512
3a5ac733b5101576bd4fc022f7fcc63d1c53bd3bc971c5117c112b119dbd0b55d2028960f4ee821353fd11d0b96fb2ff473b25de61f57b815f457bac447c1215

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7241.exe

Filesize
8KB

MD5
22617ff32670274c2fcddbfc58591eca

SHA1
1df70fa936ce36e4288d1a2f74de62607f672cac

SHA256
261bfd6bc257e42897d748c42d1058d007d3a57d6e955b8d6cabcdd230906b4b

SHA512
5fea967df1aeb21ebc8796b6379b26a9bfabbed8eed117e5a5c023625afa11ea27218b2c493d02f466355bb8ce1dc778348536c5676dea10c3c4e48bc0ecc141

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7241.exe

Filesize
8KB

MD5
22617ff32670274c2fcddbfc58591eca

SHA1
1df70fa936ce36e4288d1a2f74de62607f672cac

SHA256
261bfd6bc257e42897d748c42d1058d007d3a57d6e955b8d6cabcdd230906b4b

SHA512
5fea967df1aeb21ebc8796b6379b26a9bfabbed8eed117e5a5c023625afa11ea27218b2c493d02f466355bb8ce1dc778348536c5676dea10c3c4e48bc0ecc141

Download Submit
memory/872-160-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-159-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-156-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-140-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2820-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4508-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4508-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4508-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4532-155-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5072-157-0x0000000000400000-0x0000000000405200-memory.dmp

Filesize
20KB

Download