915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
Size

1.5MB
MD5

d024a15e3aca2d00fb08630d658a0908
SHA1

539176c120e436f315d036731a12368fa9eae0df
SHA256

915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73
SHA512

b7d9e1b5daf0b58be3cd179ebca4953fc7648a5d8e3d4259e27b41871945a97f1688a67842b636532cf5761813790ba3dcf20a269092f8cce16e31b6ae9b29a1
SSDEEP

24576:dcqmv1tJkM75eUV5zea9DVe2FuNc6NAJgB8Z7GXfX8jOQa74QQJbNQKAmRaWTRom:mv1x51V5Re2oN3ACB8UvMwQJhHRjogGu

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scrss.exe = "\"scrss.exe \""	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1180	setup32.exe
4108	scrss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	setup32.exe

Loads dropped DLL 3 IoCs

pid	Process
4108	scrss.exe
4108	scrss.exe
5112	NOTEPAD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	setup32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2012	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe
1180	setup32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4108	scrss.exe
5112	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1180	1508	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	81
PID 1508 wrote to memory of 1180	1508	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	81
PID 1508 wrote to memory of 1180	1508	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	81
PID 1180 wrote to memory of 5112	1180	setup32.exe	82
PID 1180 wrote to memory of 5112	1180	setup32.exe	82
PID 1180 wrote to memory of 5112	1180	setup32.exe	82
PID 1180 wrote to memory of 4108	1180	setup32.exe	83
PID 1180 wrote to memory of 4108	1180	setup32.exe	83
PID 1180 wrote to memory of 4108	1180	setup32.exe	83
PID 1180 wrote to memory of 4624	1180	setup32.exe	84
PID 1180 wrote to memory of 4624	1180	setup32.exe	84
PID 1180 wrote to memory of 4624	1180	setup32.exe	84
PID 4624 wrote to memory of 4808	4624	cmd.exe	86
PID 4624 wrote to memory of 4808	4624	cmd.exe	86
PID 4624 wrote to memory of 4808	4624	cmd.exe	86
PID 4808 wrote to memory of 2012	4808	cmd.exe	87
PID 4808 wrote to memory of 2012	4808	cmd.exe	87
PID 4808 wrote to memory of 2012	4808	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
"C:\Users\Admin\AppData\Local\Temp\915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\mesaj2.txt
    3⤵
    - Loads dropped DLL
    - Opens file in notepad (likely ransom note)
    - Suspicious use of SetWindowsHookEx
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\scrss.exe
    "C:\Users\Admin\AppData\Local\Temp\scrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"scrss.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"scrss.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
136B

MD5
2cd204544a454c7e443f9b55ec817484

SHA1
67e9dea6ba52997bb1212a1b04b68f8ddb0ab563

SHA256
04f1b243de434d188191b8cea9b84e292a8a104d8eae8ab435fe480155caef7a

SHA512
173eefc8d307a0d98dcb484a1a865337295279df86d44c41ebf722306de6ece113bc0a0bec2aa5eb51c71eb40c266b1e1f371547dc653c77fc2c33e5c99e5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\mesaj2.txt

Filesize
871B

MD5
2f64c639ad8f05204f4ae397c52acc8c

SHA1
7de09f1b781703926c6a33f1e5d9c0630c40e405

SHA256
a8ac437f75f8ff37d897e301bf8d759e400981f2945510feb86ff4818d9ca703

SHA512
cc1752be57a9bb6fe274291ff4d611c1cd39f6b960967c684cd2a02b7d24cd00b2537d1ab42ef97557fe9c886b50586a7003245aff46ee66713361f102b59bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
memory/4108-143-0x0000000002230000-0x000000000226C000-memory.dmp

Filesize
240KB

Download