daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe
Size

304KB
MD5

f1e2d367c882743bebe8ded342cc96ef
SHA1

fc539c9ae3c551016972c076ac7e383eba19d39c
SHA256

daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562
SHA512

a4b79212d2cac5ba77d1ed9399f19cd34cca702d4397430cdb26589ebe11fdaf1e82cb033849ba12103d6a806f6283d1037d1e98db649d122c2dc4748e02a889
SSDEEP

3072:AfUCvhQ/LMe3gBk3Ol9x4CuSqhAp08FkGRnNrdf45AjqKnoeaw:aUm6QeQHlvKhAp081nNVjqKoe

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4380	atiradeonx86.bat
4088	atiradeonx86.bat

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4800-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-141-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-149-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4088-159-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4088-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-163-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atiradeonx86.bat = "C:\\Users\\Admin\\AppData\\Roaming\\atiradeonx86.bat"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4380 set thread context of 4088	4380	atiradeonx86.bat	87
PID 4380 set thread context of 4208	4380	atiradeonx86.bat	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat
Token: SeDebugPrivilege	4088	atiradeonx86.bat

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe
4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe
4380	atiradeonx86.bat
4088	atiradeonx86.bat

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4344 wrote to memory of 4800	4344	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	81
PID 4800 wrote to memory of 3136	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	82
PID 4800 wrote to memory of 3136	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	82
PID 4800 wrote to memory of 3136	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	82
PID 3136 wrote to memory of 4884	3136	cmd.exe	85
PID 3136 wrote to memory of 4884	3136	cmd.exe	85
PID 3136 wrote to memory of 4884	3136	cmd.exe	85
PID 4800 wrote to memory of 4380	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	86
PID 4800 wrote to memory of 4380	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	86
PID 4800 wrote to memory of 4380	4800	daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe	86
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4088	4380	atiradeonx86.bat	87
PID 4380 wrote to memory of 4208	4380	atiradeonx86.bat	88
PID 4380 wrote to memory of 4208	4380	atiradeonx86.bat	88
PID 4380 wrote to memory of 4208	4380	atiradeonx86.bat	88
PID 4380 wrote to memory of 4208	4380	atiradeonx86.bat	88
PID 4380 wrote to memory of 4208	4380	atiradeonx86.bat	88
PID 4208 wrote to memory of 5100	4208	msedge.exe	89
PID 4208 wrote to memory of 5100	4208	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe
"C:\Users\Admin\AppData\Local\Temp\daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe
  "C:\Users\Admin\AppData\Local\Temp\daeef846c015cf82c40415ae410935cdb6f0f3e8f79aaa6d7ed8783a10614562.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYPEO.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "atiradeonx86.bat" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\atiradeonx86.bat" /f
      4⤵
      Adds Run key to start application
      PID:4884
- - C:\Users\Admin\AppData\Roaming\atiradeonx86.bat
    "C:\Users\Admin\AppData\Roaming\atiradeonx86.bat"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Roaming\atiradeonx86.bat
      "C:\Users\Admin\AppData\Roaming\atiradeonx86.bat"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff817d946f8,0x7ff817d94708,0x7ff817d94718
        5⤵
        
        PID:5100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HYPEO.bat

Filesize
150B

MD5
7d2115acc388532cf3bee4380f172915

SHA1
31143e9730264b58c847e7c8c166fd8f8acf61cc

SHA256
fd6b7074ca8c462738ac51f70a0f5fde9638806230e06b6a609da201c84f9da1

SHA512
f135928e06b803fd8f96fa52366c8ab4dbe70803c9c6e2ac2bf93f61f0302e9eeaa1b1774916b106e6b2247e2088ed5ccbad029c3a48e52e39e9cd73413bff9a

Download Submit
C:\Users\Admin\AppData\Roaming\atiradeonx86.bat

Filesize
304KB

MD5
7fd508c8ce5b838edc3047b927d27bf2

SHA1
a11a969e5ec5737b10c59487b87ad0125586ce93

SHA256
136cf760b095729188cd6de1796e872fd8cc5700e95e5eabc2884ee75e768418

SHA512
ff186ccdf8ed18f108d3af95cc9065ac4e43264950ba502b69fb3fb72cd892ba035f7acd0692c435b37e92d13328c9b426628fac815317b0b6b8dc4e5024192d

Download Submit
C:\Users\Admin\AppData\Roaming\atiradeonx86.bat

Filesize
304KB

MD5
7fd508c8ce5b838edc3047b927d27bf2

SHA1
a11a969e5ec5737b10c59487b87ad0125586ce93

SHA256
136cf760b095729188cd6de1796e872fd8cc5700e95e5eabc2884ee75e768418

SHA512
ff186ccdf8ed18f108d3af95cc9065ac4e43264950ba502b69fb3fb72cd892ba035f7acd0692c435b37e92d13328c9b426628fac815317b0b6b8dc4e5024192d

Download Submit
C:\Users\Admin\AppData\Roaming\atiradeonx86.bat

Filesize
304KB

MD5
7fd508c8ce5b838edc3047b927d27bf2

SHA1
a11a969e5ec5737b10c59487b87ad0125586ce93

SHA256
136cf760b095729188cd6de1796e872fd8cc5700e95e5eabc2884ee75e768418

SHA512
ff186ccdf8ed18f108d3af95cc9065ac4e43264950ba502b69fb3fb72cd892ba035f7acd0692c435b37e92d13328c9b426628fac815317b0b6b8dc4e5024192d

Download Submit
memory/4088-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4088-159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4208-161-0x0000000000400200-0x0000000000400400-memory.dmp

Filesize
512B

Download
memory/4800-149-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-141-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-163-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download