c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a

Analysis

max time kernel
201s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe
Size

439KB
MD5

173c4e0856d28568d883e9d1b15d0f10
SHA1

389e34da8337a12065f0a4a2f1017277ac725df2
SHA256

c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a
SHA512

5aec6ff1108f0368f73af36a89b5627066a09fe985c1d532b1c54541020ebfd55b51b6796066923a796b5b3ec70f0264546f7f2d376e8a7197072b16e48efd10
SSDEEP

12288:uzpgZzidAJEVgCx36pOwjR4ss1wa9lGBt:uVgYCMMOwm17sBt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	rassen.exe
3488	xsfxdel~.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3668	1204	WerFault.exe	84
3940	1204	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1204	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	84
PID 4060 wrote to memory of 1204	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	84
PID 4060 wrote to memory of 1204	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	84
PID 4060 wrote to memory of 3488	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	91
PID 4060 wrote to memory of 3488	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	91
PID 4060 wrote to memory of 3488	4060	c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe	91

C:\Users\Admin\AppData\Local\Temp\c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe
"C:\Users\Admin\AppData\Local\Temp\c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\rassen.exe
  "C:\Users\Admin\AppData\Local\rassen.exe"
  2⤵
  - Executes dropped EXE
  PID:1204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 472
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 480
    3⤵
    - Program crash
    PID:3940
- C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe
  "C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe" "C:\Users\Admin\AppData\Local\Temp\c2c99c2df6471aa5b6811075d46ab69b295d9f8553e0ec1a11a082a45aa7535a.exe"
  2⤵
  - Executes dropped EXE
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1204 -ip 1204
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1204 -ip 1204
1⤵
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe

Filesize
40KB

MD5
a7ddc4e9e8ddba63670276fa386d0adf

SHA1
48c6799a242a61b97705845ad39f0b7b0a77f872

SHA256
42ffde314a6672bad5fc0ce2fdc36e2236055185d6f2dbadaac371751587d4c0

SHA512
3e9822a3229ae0e0ef13f197172ef35d97522633c4cc32fcde97d662fcf8c9ad6ccb2809778027fc5381a5dd34ffc46b2f9458ad4b05ad3f597f07369b52fc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsfxdel~.exe

Filesize
40KB

MD5
a7ddc4e9e8ddba63670276fa386d0adf

SHA1
48c6799a242a61b97705845ad39f0b7b0a77f872

SHA256
42ffde314a6672bad5fc0ce2fdc36e2236055185d6f2dbadaac371751587d4c0

SHA512
3e9822a3229ae0e0ef13f197172ef35d97522633c4cc32fcde97d662fcf8c9ad6ccb2809778027fc5381a5dd34ffc46b2f9458ad4b05ad3f597f07369b52fc6a

Download Submit
C:\Users\Admin\AppData\Local\rassen.exe

Filesize
273KB

MD5
7b400e01446dc970ad333a42db7bbf08

SHA1
bd326fa4f75e43a8e83349fa2dcd7800678e70df

SHA256
8cc76eb4ae29d19523ec77c9110cc76fd2bfaabe6b375dc70b39bf0f9cb3dad0

SHA512
55c222806a57b3e864bcce6b262dffebb1787de24d926d45231b420f0c8c7c7c8e0e1277a05beb2c253948d355ba27c677f27563a9b59cba2db84cb6c15f19a3

Download Submit
C:\Users\Admin\AppData\Local\rassen.exe

Filesize
273KB

MD5
7b400e01446dc970ad333a42db7bbf08

SHA1
bd326fa4f75e43a8e83349fa2dcd7800678e70df

SHA256
8cc76eb4ae29d19523ec77c9110cc76fd2bfaabe6b375dc70b39bf0f9cb3dad0

SHA512
55c222806a57b3e864bcce6b262dffebb1787de24d926d45231b420f0c8c7c7c8e0e1277a05beb2c253948d355ba27c677f27563a9b59cba2db84cb6c15f19a3

Download Submit
memory/1204-135-0x0000000014000000-0x000000001404D000-memory.dmp

Filesize
308KB

Download