304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5

Analysis

max time kernel
70s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Size

184KB
MD5

4d36e000b64bf076db39a16e2ed6fcdf
SHA1

325887bf4aa370235e6e2ae34faddf56d6143643
SHA256

304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5
SHA512

205cd35991fc2535ddf618c80ab30abaf1bde509007480ecd77cee5eb941e624ba6b92d5e67fe8e40962d4635181e692cb4f0edcc31c3f2bfa06f7e120209795
SSDEEP

3072:9ydJq5oyVzs+h0JI5J0SpUldLS3lgGBd/AkKHBRQ/rPOy9xnnHsGvPwsAvWDA:4W2+tUnoC2/ALhyzpsGvPw6k

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4720	OFFICE~1.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f77-133.dat	upx
behavioral2/files/0x0006000000022f77-134.dat	upx
behavioral2/memory/4720-135-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4720-136-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	OFFICE~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2996	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4720	3440	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	80
PID 3440 wrote to memory of 4720	3440	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	80
PID 3440 wrote to memory of 4720	3440	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	80
PID 4720 wrote to memory of 3400	4720	OFFICE~1.EXE	81
PID 4720 wrote to memory of 3400	4720	OFFICE~1.EXE	81
PID 4720 wrote to memory of 3400	4720	OFFICE~1.EXE	81
PID 3400 wrote to memory of 2996	3400	cmd.exe	83
PID 3400 wrote to memory of 2996	3400	cmd.exe	83
PID 3400 wrote to memory of 2996	3400	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
"C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\reg.exe
      reg save HKLM\SOFTWARE c:\OfficeRegBak.hiv
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd

Filesize
981B

MD5
b8f78830dd1782e12b8807aea7384ac2

SHA1
bee8e85498a0e0add628bda558dfe652554e0ec4

SHA256
c374fabdfe02c9434af163e230d88c34387a461efb6fe251f602a45766dfba35

SHA512
3799f6d162bdfc01bad49b22490387c8c71c36bf163bca22748b47e5a48c7b9e4b46c40f94246b08368a972e0ade4c6af0b59a681aeb3f77640fdc7e1d01f4fa

Download Submit
memory/4720-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4720-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download