Analysis
-
max time kernel
206s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe
Resource
win10v2004-20221111-en
General
-
Target
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe
-
Size
367KB
-
MD5
bbf0bfc80cf742e1f19e7e053e78b2fb
-
SHA1
9010f6087f50555b16219a40a03943bca3002970
-
SHA256
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278
-
SHA512
2f2f7dde23733066c8e0050902f1eb544d47ddbac6dc033339ad37e7f0cd80d13d68df7a47e68746d24168905de8715a224a7db5438658eaa1d0ac27283f180c
-
SSDEEP
6144:JKVtzpAShNxvAg/j4oEDjmTyZC6dIffK6uINK6Fwgd8yf9C:JKVtp7vXj4oE2uZC6d6fKuAOxh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vzqanggf.exepid process 3456 vzqanggf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe -
Loads dropped DLL 1 IoCs
Processes:
vzqanggf.exepid process 3456 vzqanggf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3184 4164 WerFault.exe ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe 1484 3456 WerFault.exe vzqanggf.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4724 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4724 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
vzqanggf.exepid process 3456 vzqanggf.exe 3456 vzqanggf.exe 3456 vzqanggf.exe 3456 vzqanggf.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
vzqanggf.exepid process 3456 vzqanggf.exe 3456 vzqanggf.exe 3456 vzqanggf.exe 3456 vzqanggf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.execmd.exedescription pid process target process PID 4164 wrote to memory of 5068 4164 ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe cmd.exe PID 4164 wrote to memory of 5068 4164 ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe cmd.exe PID 4164 wrote to memory of 5068 4164 ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe cmd.exe PID 5068 wrote to memory of 4724 5068 cmd.exe taskkill.exe PID 5068 wrote to memory of 4724 5068 cmd.exe taskkill.exe PID 5068 wrote to memory of 4724 5068 cmd.exe taskkill.exe PID 5068 wrote to memory of 3944 5068 cmd.exe PING.EXE PID 5068 wrote to memory of 3944 5068 cmd.exe PING.EXE PID 5068 wrote to memory of 3944 5068 cmd.exe PING.EXE PID 5068 wrote to memory of 3456 5068 cmd.exe vzqanggf.exe PID 5068 wrote to memory of 3456 5068 cmd.exe vzqanggf.exe PID 5068 wrote to memory of 3456 5068 cmd.exe vzqanggf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe"C:\Users\Admin\AppData\Local\Temp\ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 6282⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4164 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278.exe" & start C:\Users\Admin\AppData\Local\vzqanggf.exe -f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 41643⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\vzqanggf.exeC:\Users\Admin\AppData\Local\vzqanggf.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 6404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4164 -ip 41641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3456 -ip 34561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\vzqanggf.exeFilesize
367KB
MD5bbf0bfc80cf742e1f19e7e053e78b2fb
SHA19010f6087f50555b16219a40a03943bca3002970
SHA256ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278
SHA5122f2f7dde23733066c8e0050902f1eb544d47ddbac6dc033339ad37e7f0cd80d13d68df7a47e68746d24168905de8715a224a7db5438658eaa1d0ac27283f180c
-
C:\Users\Admin\AppData\Local\vzqanggf.exeFilesize
367KB
MD5bbf0bfc80cf742e1f19e7e053e78b2fb
SHA19010f6087f50555b16219a40a03943bca3002970
SHA256ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278
SHA5122f2f7dde23733066c8e0050902f1eb544d47ddbac6dc033339ad37e7f0cd80d13d68df7a47e68746d24168905de8715a224a7db5438658eaa1d0ac27283f180c
-
C:\Users\Admin\AppData\Local\vzqanggf.exeFilesize
367KB
MD5bbf0bfc80cf742e1f19e7e053e78b2fb
SHA19010f6087f50555b16219a40a03943bca3002970
SHA256ed8a4cf3fec6e81a6b4501c2b22ec4274e0dec2e92d98413fdfb8ff85e6ef278
SHA5122f2f7dde23733066c8e0050902f1eb544d47ddbac6dc033339ad37e7f0cd80d13d68df7a47e68746d24168905de8715a224a7db5438658eaa1d0ac27283f180c
-
memory/3456-138-0x0000000000000000-mapping.dmp
-
memory/3944-137-0x0000000000000000-mapping.dmp
-
memory/4164-132-0x0000000000D60000-0x0000000000D63000-memory.dmpFilesize
12KB
-
memory/4164-133-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4164-135-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4724-136-0x0000000000000000-mapping.dmp
-
memory/5068-134-0x0000000000000000-mapping.dmp