Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe
Resource
win10v2004-20220901-en
General
-
Target
f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe
-
Size
191KB
-
MD5
5affdf5e22daf43369a8c57745e71958
-
SHA1
5b037e3e6299c9e8399bc547a438b824c61998aa
-
SHA256
f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e
-
SHA512
63b2b394062f07269362806a6340e3352be697a802f59467918d1cfdaf152737e9684c168d8e948d9134fdd95d88209b4c3520190ee5a2f5cc02e431833e26dd
-
SSDEEP
3072:lzNWMKKRZYc1ObK91C8sV6Xmoo4MEpYeptCGF81fc:lZuaObR8sVImPyYepAGr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4860 1.exe 4976 seuwok.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\seuwok.exe 1.exe File opened for modification C:\Windows\SysWOW64\seuwok.exe 1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4976 set thread context of 3884 4976 seuwok.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2012 3884 WerFault.exe 83 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4860 1.exe 4860 1.exe 4976 seuwok.exe 4976 seuwok.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3884 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4860 1652 f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe 81 PID 1652 wrote to memory of 4860 1652 f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe 81 PID 1652 wrote to memory of 4860 1652 f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe 81 PID 4976 wrote to memory of 3884 4976 seuwok.exe 83 PID 4976 wrote to memory of 3884 4976 seuwok.exe 83 PID 4976 wrote to memory of 3884 4976 seuwok.exe 83 PID 4976 wrote to memory of 3884 4976 seuwok.exe 83 PID 4976 wrote to memory of 3884 4976 seuwok.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe"C:\Users\Admin\AppData\Local\Temp\f325dea4205398399ffacecd3a6708aedcab0ff6288b3efa6c477b8dfb4fa22e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Windows\SysWOW64\seuwok.exeC:\Windows\SysWOW64\seuwok.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Suspicious use of UnmapMainImage
PID:3884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 123⤵
- Program crash
PID:2012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3884 -ip 38841⤵PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95.7MB
MD54e9b1773769dce4effa5635075f04084
SHA1d30ba9240fc6d713c366b8ffaf1b7ebb1f5b864f
SHA256105d786c36bad3a872de6f1f49c3c8ffe2dfcef3bb4a40dd020357752317a74e
SHA51220847028c1a7afa2150f4580340fd389d50c3b37d2de35386bc6b31962c951fa465f6771e60f451eab1b8f9e6039b6fef7a37fb16ed74b85a7da577061ec4bdc
-
Filesize
95.7MB
MD54e9b1773769dce4effa5635075f04084
SHA1d30ba9240fc6d713c366b8ffaf1b7ebb1f5b864f
SHA256105d786c36bad3a872de6f1f49c3c8ffe2dfcef3bb4a40dd020357752317a74e
SHA51220847028c1a7afa2150f4580340fd389d50c3b37d2de35386bc6b31962c951fa465f6771e60f451eab1b8f9e6039b6fef7a37fb16ed74b85a7da577061ec4bdc
-
Filesize
95.7MB
MD54e9b1773769dce4effa5635075f04084
SHA1d30ba9240fc6d713c366b8ffaf1b7ebb1f5b864f
SHA256105d786c36bad3a872de6f1f49c3c8ffe2dfcef3bb4a40dd020357752317a74e
SHA51220847028c1a7afa2150f4580340fd389d50c3b37d2de35386bc6b31962c951fa465f6771e60f451eab1b8f9e6039b6fef7a37fb16ed74b85a7da577061ec4bdc
-
Filesize
95.7MB
MD54e9b1773769dce4effa5635075f04084
SHA1d30ba9240fc6d713c366b8ffaf1b7ebb1f5b864f
SHA256105d786c36bad3a872de6f1f49c3c8ffe2dfcef3bb4a40dd020357752317a74e
SHA51220847028c1a7afa2150f4580340fd389d50c3b37d2de35386bc6b31962c951fa465f6771e60f451eab1b8f9e6039b6fef7a37fb16ed74b85a7da577061ec4bdc