caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
Size

631KB
MD5

d725941c68aa42f628dbe1097b6cd733
SHA1

af9ee4eef4d176f2c71ddf83841a2f1c2ae3aded
SHA256

caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9
SHA512

0e6c904c619db19de4235df71631a4408027023943897486214d448e791acd682d44736c7485f7562c578ccfbc9f2561452c1dca02fe5244d4d4f357974c1def
SSDEEP

12288:jERaXYP3vzh/k/u8OU8bo2KwVaO+kmydYptZauYi7bmadnZ/ktL5zGfcP28:6A03rh/k/GtJxVN0EuX7bmqCLUyp

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4756	XFLF.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	XFLF.exe

Loads dropped DLL 5 IoCs

pid	Process
3772	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
4756	XFLF.exe
4756	XFLF.exe
4756	XFLF.exe
4064	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	XFLF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XFLF Agent = "C:\\Windows\\SysWOW64\\28463\\XFLF.exe"	XFLF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463\XFLF.009	XFLF.exe
File created	C:\Windows\SysWOW64\28463\XFLF.001	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
File created	C:\Windows\SysWOW64\28463\XFLF.006	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
File created	C:\Windows\SysWOW64\28463\XFLF.007	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
File created	C:\Windows\SysWOW64\28463\XFLF.exe	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
File opened for modification	C:\Windows\SysWOW64\28463	XFLF.exe
File created	C:\Windows\SysWOW64\28463\XFLF.009	XFLF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	4756	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4756	XFLF.exe
Token: SeIncBasePriorityPrivilege	4756	XFLF.exe
Token: SeIncBasePriorityPrivilege	4756	XFLF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4756	XFLF.exe
4756	XFLF.exe
4756	XFLF.exe
4756	XFLF.exe
4756	XFLF.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4756	3772	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe	87
PID 3772 wrote to memory of 4756	3772	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe	87
PID 3772 wrote to memory of 4756	3772	caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe	87
PID 4756 wrote to memory of 3388	4756	XFLF.exe	102
PID 4756 wrote to memory of 3388	4756	XFLF.exe	102
PID 4756 wrote to memory of 3388	4756	XFLF.exe	102

C:\Users\Admin\AppData\Local\Temp\caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe
"C:\Users\Admin\AppData\Local\Temp\caa29ec0210e6b847ef9bec405e139f106432db18eeec2ce95b96ef733e09fb9.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\28463\XFLF.exe
  "C:\Windows\system32\28463\XFLF.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\XFLF.exe > nul
    3⤵
    PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4756 -ip 4756
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BC40.tmp

Filesize
4KB

MD5
b89311bdf4e6640cc9051e629476cbe4

SHA1
ced30235482232b045cd5d8004e8ead01b30f9ca

SHA256
db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1

SHA512
8e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4

Download Submit
C:\Windows\SysWOW64\28463\XFLF.001

Filesize
382B

MD5
61b5d94fcab38f10530c40cd6903d412

SHA1
7f7c999492ed7bc3fe442a118f487c51145385bf

SHA256
a836912164388a44a8737c7556c6ee4824bcfab0484ff2526710215cff3a265c

SHA512
75e314dcd13d2da106533238ed245e3cf21f96190bc4c90c5db4c103af64d77a33568c31cee3882d0d76d982ed5648ce8a746a51bf128372648fb30397140941

Download Submit
C:\Windows\SysWOW64\28463\XFLF.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\XFLF.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\XFLF.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\XFLF.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\XFLF.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\XFLF.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\XFLF.exe

Filesize
602KB

MD5
8459b0ba642d016c60571a3ad31e6ec8

SHA1
19a7f23f7eee39ed4217ec44ef46b899eabc32c2

SHA256
e859bf35940f45fab38d28c824ae1eabc16adbc98ff09bf579f09765c0e88655

SHA512
812dca12499fd93627ef3a2a848f4a74be1009b2ebca29b5abe4218923338f5db753f573982dc7d8b4b4a3e0f8cf59748070394b2ae2f0f52c030ecc5c964e0d

Download Submit
C:\Windows\SysWOW64\28463\XFLF.exe

Filesize
602KB

MD5
8459b0ba642d016c60571a3ad31e6ec8

SHA1
19a7f23f7eee39ed4217ec44ef46b899eabc32c2

SHA256
e859bf35940f45fab38d28c824ae1eabc16adbc98ff09bf579f09765c0e88655

SHA512
812dca12499fd93627ef3a2a848f4a74be1009b2ebca29b5abe4218923338f5db753f573982dc7d8b4b4a3e0f8cf59748070394b2ae2f0f52c030ecc5c964e0d

Download Submit
memory/4756-142-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4756-145-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download