Analysis
-
max time kernel
236s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe
Resource
win10v2004-20221111-en
General
-
Target
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe
-
Size
366KB
-
MD5
b8db5c8ec77ed7c230b370c7d13cf9c9
-
SHA1
d1aaabc0da38a38f8489672435946fdaa94756b3
-
SHA256
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7
-
SHA512
f9d32d35335623a5482eb41627313ddae9cddef233976661902cdf7f04b5a63ae071107dbd5f4526761bb49f69eb62df382483e35e772efdc8d4c09711afe9b2
-
SSDEEP
6144:ushDi0yVamQKqcnfsuSLY/CkHkh3t8E8vxsKlskH:usEVVanZceCeh3tmTH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
plbupaagzu.exepid process 4060 plbupaagzu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe -
Loads dropped DLL 1 IoCs
Processes:
plbupaagzu.exepid process 4060 plbupaagzu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3380 4248 WerFault.exe d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe 3472 4060 WerFault.exe plbupaagzu.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2452 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2452 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
plbupaagzu.exepid process 4060 plbupaagzu.exe 4060 plbupaagzu.exe 4060 plbupaagzu.exe 4060 plbupaagzu.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
plbupaagzu.exepid process 4060 plbupaagzu.exe 4060 plbupaagzu.exe 4060 plbupaagzu.exe 4060 plbupaagzu.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.execmd.exedescription pid process target process PID 4248 wrote to memory of 3480 4248 d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe cmd.exe PID 4248 wrote to memory of 3480 4248 d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe cmd.exe PID 4248 wrote to memory of 3480 4248 d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe cmd.exe PID 3480 wrote to memory of 2452 3480 cmd.exe taskkill.exe PID 3480 wrote to memory of 2452 3480 cmd.exe taskkill.exe PID 3480 wrote to memory of 2452 3480 cmd.exe taskkill.exe PID 3480 wrote to memory of 4640 3480 cmd.exe PING.EXE PID 3480 wrote to memory of 4640 3480 cmd.exe PING.EXE PID 3480 wrote to memory of 4640 3480 cmd.exe PING.EXE PID 3480 wrote to memory of 4060 3480 cmd.exe plbupaagzu.exe PID 3480 wrote to memory of 4060 3480 cmd.exe plbupaagzu.exe PID 3480 wrote to memory of 4060 3480 cmd.exe plbupaagzu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe"C:\Users\Admin\AppData\Local\Temp\d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 6282⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4248 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7.exe" & start C:\Users\Admin\AppData\Local\PLBUPA~1.EXE -f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 42483⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\plbupaagzu.exeC:\Users\Admin\AppData\Local\PLBUPA~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 6404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4248 -ip 42481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4060 -ip 40601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\plbupaagzu.exeFilesize
366KB
MD5b8db5c8ec77ed7c230b370c7d13cf9c9
SHA1d1aaabc0da38a38f8489672435946fdaa94756b3
SHA256d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7
SHA512f9d32d35335623a5482eb41627313ddae9cddef233976661902cdf7f04b5a63ae071107dbd5f4526761bb49f69eb62df382483e35e772efdc8d4c09711afe9b2
-
C:\Users\Admin\AppData\Local\plbupaagzu.exeFilesize
366KB
MD5b8db5c8ec77ed7c230b370c7d13cf9c9
SHA1d1aaabc0da38a38f8489672435946fdaa94756b3
SHA256d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7
SHA512f9d32d35335623a5482eb41627313ddae9cddef233976661902cdf7f04b5a63ae071107dbd5f4526761bb49f69eb62df382483e35e772efdc8d4c09711afe9b2
-
C:\Users\Admin\AppData\Local\plbupaagzu.exeFilesize
366KB
MD5b8db5c8ec77ed7c230b370c7d13cf9c9
SHA1d1aaabc0da38a38f8489672435946fdaa94756b3
SHA256d7c752f5cafc59b3a182256267d60097f7711b5a80e77b34471fb2c810c3c1c7
SHA512f9d32d35335623a5482eb41627313ddae9cddef233976661902cdf7f04b5a63ae071107dbd5f4526761bb49f69eb62df382483e35e772efdc8d4c09711afe9b2
-
memory/2452-136-0x0000000000000000-mapping.dmp
-
memory/3480-134-0x0000000000000000-mapping.dmp
-
memory/4060-138-0x0000000000000000-mapping.dmp
-
memory/4060-141-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4248-132-0x0000000000C30000-0x0000000000C33000-memory.dmpFilesize
12KB
-
memory/4248-133-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4248-135-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4640-137-0x0000000000000000-mapping.dmp