bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7

Analysis

max time kernel
187s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe
Size

437KB
MD5

93f05b147e65e602c04c80997765a756
SHA1

503dd4e736d235d832e06d6e6375addb28b498f4
SHA256

bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7
SHA512

70c433484eadca5228d230b524abc46a17c97bef7b1d1cfce6e8b3f264e6bdb7b149489284de50a15cb13e9b2229c41315772452b16916d54d99e9494a2da0ec
SSDEEP

6144:5ZunObR8sVImcyYC5JmY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPZ:WK+mznNE/Ds3fM20lHmYWwH3zuxP57r

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4816	loadwg.exe
1320	dxcyswg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000021b42-133.dat	upx
behavioral2/files/0x0003000000021b42-134.dat	upx
behavioral2/files/0x0002000000021b43-136.dat	upx
behavioral2/files/0x0002000000021b43-137.dat	upx
behavioral2/memory/4816-138-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/1320-139-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4816-138-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4320	1320	WerFault.exe	81

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4816	loadwg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4816	376	bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe	80
PID 376 wrote to memory of 4816	376	bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe	80
PID 376 wrote to memory of 4816	376	bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe	80
PID 4816 wrote to memory of 1320	4816	loadwg.exe	81
PID 4816 wrote to memory of 1320	4816	loadwg.exe	81
PID 4816 wrote to memory of 1320	4816	loadwg.exe	81

C:\Users\Admin\AppData\Local\Temp\bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe
"C:\Users\Admin\AppData\Local\Temp\bc2e5b2588c48f724dc307c1fb5cbaaf6dbc61f88ee8c245aec930dda16c5ce7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
    dxcyswg.exe
    3⤵
    - Executes dropped EXE
    PID:1320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 312
      4⤵
      Program crash
      PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1320 -ip 1320
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe

Filesize
15KB

MD5
68d527ba86ff213a20a7fa7cf4bc344c

SHA1
c9f937f11a408f9dff8952df027d998230e220af

SHA256
e586862b8121058f207fc2fc30cce28dbba19814e09cb6a1cd1b99011c819468

SHA512
f1296a86101e8854cc3062f9b2dc402c2c2cd3af4c6ec54d3d2fbdbffe14260b6e748fc46c72b44b3c0d061daf33af197919c8949243c2ac128a937a1713845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe

Filesize
15KB

MD5
68d527ba86ff213a20a7fa7cf4bc344c

SHA1
c9f937f11a408f9dff8952df027d998230e220af

SHA256
e586862b8121058f207fc2fc30cce28dbba19814e09cb6a1cd1b99011c819468

SHA512
f1296a86101e8854cc3062f9b2dc402c2c2cd3af4c6ec54d3d2fbdbffe14260b6e748fc46c72b44b3c0d061daf33af197919c8949243c2ac128a937a1713845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
memory/1320-135-0x0000000000000000-mapping.dmp

Download
memory/1320-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4816-132-0x0000000000000000-mapping.dmp

Download
memory/4816-138-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download