7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a

Analysis

max time kernel
161s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe
Size

155KB
MD5

496e3b1221d0905abb697804bfe1fb2c
SHA1

23e1254303000835603d86d53fa58c566893c66c
SHA256

7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a
SHA512

11ced469cf73d6733cb34137d7f92bbccd5d5c6d9ce731ac575e954cfeda294057a7017754b35b9e86624bed642faeb85d9b80377898c93a1f7c4ed16968cd30
SSDEEP

3072:9d9xR3G2BZMbBLBaYw0coLujNHQ8iJkysA2Ao67IUjMUv17:9d93ZBZMbqYgomHQ5J1sA2ZgjMA17

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	ttxe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ttxe.dll	ttxe.exe
File opened for modification	C:\Windows\SysWOW64\ttxe.dll	ttxe.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32delxxzt.BaT	ttxe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{288BD9BD-F0DC-46B1-81B5-2B61DF8077CE}\InPrOcservEr32\ThrEaDingMOdel = "AparTmEnt"	ttxe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\cLSiD\{288BD9BD-F0DC-46B1-81B5-2B61DF8077CE}	ttxe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{288BD9BD-F0DC-46B1-81B5-2B61DF8077CE}\ = "WinDowLaNman"	ttxe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\cLSiD\{288BD9BD-F0DC-46B1-81B5-2B61DF8077CE}\InPrOcservEr32	ttxe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{288BD9BD-F0DC-46B1-81B5-2B61DF8077CE}\InPrOcservEr32\ = "C:\\Windows\\SysWow64\\ttxe.dll"	ttxe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	ttxe.exe
2316	ttxe.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2316	516	7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe	79
PID 516 wrote to memory of 2316	516	7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe	79
PID 516 wrote to memory of 2316	516	7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe	79
PID 2316 wrote to memory of 4372	2316	ttxe.exe	80
PID 2316 wrote to memory of 4372	2316	ttxe.exe	80
PID 2316 wrote to memory of 4372	2316	ttxe.exe	80

C:\Users\Admin\AppData\Local\Temp\7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe
"C:\Users\Admin\AppData\Local\Temp\7622d809df93f4a09b0c08f8a4af281250ab4f73f460c718793767b3c5905f9a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\ttxe.exe
  "C:\Users\Admin\AppData\Local\Temp\ttxe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32delxxzt.BaT
    3⤵
    PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ttxe.exe

Filesize
78KB

MD5
819d7ff3985c3b967492471d151f2a2c

SHA1
f0d7aa7008736027f78d8fd0f673690a9ed37387

SHA256
95f4ca565ade3d7cdc6304a6884395a52a67a94f8e1aaca0a7fd11bcf5fa4a3b

SHA512
9992cc50ba7eca4b8bb56353ae7201ba3a897fc811ecd3d0430fe8630589c0cfc7cb4d76d110c85d854af8f4157230623825cb088b6c9ca71c1c0b8a3a503919

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttxe.exe

Filesize
78KB

MD5
819d7ff3985c3b967492471d151f2a2c

SHA1
f0d7aa7008736027f78d8fd0f673690a9ed37387

SHA256
95f4ca565ade3d7cdc6304a6884395a52a67a94f8e1aaca0a7fd11bcf5fa4a3b

SHA512
9992cc50ba7eca4b8bb56353ae7201ba3a897fc811ecd3d0430fe8630589c0cfc7cb4d76d110c85d854af8f4157230623825cb088b6c9ca71c1c0b8a3a503919

Download Submit
C:\Windows\system32delxxzt.BaT

Filesize
128B

MD5
a99af633ddf3fcbd72850f3f34d95c24

SHA1
d85ab608b944e1852b12717c740bb027b7bbd2a3

SHA256
8a26e5eec718d13bf2d5630d61e29cd0bc4bd825f0142e59bd723cb42f75a853

SHA512
aef6396a2ddad8ee7a756a0e3cf179632d3c1d88b6aad3b04554a5a1c4ded5dc47b1da6876851bb6eed3e8c8b619cbde43622249c51fbb56a6fc6f3bf6b15ba4

Download Submit