405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 13:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe
Size

2.0MB
MD5

f8736d8bbb862b9c96d27d89be998c7d
SHA1

6776fe7c269f187a2204b4175fb787cce6934800
SHA256

405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29
SHA512

b84bd1bb60dd3e02f3e4db62ce835ef62f1f339c174df6e0b680ef2b91140a2c4637dc99cd4063b6f54c70491d1addad619498fa3ca647a8b98c37603047535e
SSDEEP

49152:TUUqKgr+pCMPloRnLHn77gJ+F5VNQVs3YU33PEpTz4CmI:TUjKgr+pXPloVLH7MEF5VNtlfI7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2604	Setup.exe
4920	Keygen_setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e1e-136.dat	upx
behavioral2/files/0x0006000000022e1e-138.dat	upx
behavioral2/memory/4920-139-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2604	Setup.exe
2604	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 2604	4716	405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe	80
PID 4716 wrote to memory of 2604	4716	405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe	80
PID 4716 wrote to memory of 2604	4716	405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe	80
PID 2604 wrote to memory of 4920	2604	Setup.exe	81
PID 2604 wrote to memory of 4920	2604	Setup.exe	81
PID 2604 wrote to memory of 4920	2604	Setup.exe	81

C:\Users\Admin\AppData\Local\Temp\405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe
"C:\Users\Admin\AppData\Local\Temp\405052c81773585a5ee8d8d159a0e6975b8e38c7e16fd4f2b880936e71aeeb29.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Keygen_setup.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\Keygen_setup.exe
    3⤵
    - Executes dropped EXE
    PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GTemp.dat

Filesize
9KB

MD5
ecb1bb988be14c7e09ef6af45a66a6f4

SHA1
80f0f9ec6eb1dac19622d11dc3e7d30d9ed440b9

SHA256
612215e1d5dae1c0169dad7b41f44a49f23949c89ed461759831c5c394d8297a

SHA512
9883160c27fb72b9a26882389cdd26135afdcb584043d2c7a697a5ad41de26b51a8a789b14cb9ab0d5c509c727e17f9ae3772382dfd939c4035d7f3f19cbe43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Keygen_setup.exe

Filesize
9KB

MD5
ecb1bb988be14c7e09ef6af45a66a6f4

SHA1
80f0f9ec6eb1dac19622d11dc3e7d30d9ed440b9

SHA256
612215e1d5dae1c0169dad7b41f44a49f23949c89ed461759831c5c394d8297a

SHA512
9883160c27fb72b9a26882389cdd26135afdcb584043d2c7a697a5ad41de26b51a8a789b14cb9ab0d5c509c727e17f9ae3772382dfd939c4035d7f3f19cbe43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.EXE

Filesize
1017KB

MD5
ffb6e4847d82ebf60be4b1322785431e

SHA1
a233e82cc70f306e5da94c889265c49e6d8fbd8c

SHA256
a90cc432d60aad0241d8db3402998390c9bd5e60232e2e1dad3d2155284cf574

SHA512
accbc7855c9d61f2835abb7d3a64ab804fc97762d7dd9448b8b9df9f4cf4ec1cbfe492785a3f3cb3e4026bad143d68623215f6da5385f3e42988118fcdd9a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
1017KB

MD5
ffb6e4847d82ebf60be4b1322785431e

SHA1
a233e82cc70f306e5da94c889265c49e6d8fbd8c

SHA256
a90cc432d60aad0241d8db3402998390c9bd5e60232e2e1dad3d2155284cf574

SHA512
accbc7855c9d61f2835abb7d3a64ab804fc97762d7dd9448b8b9df9f4cf4ec1cbfe492785a3f3cb3e4026bad143d68623215f6da5385f3e42988118fcdd9a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
268B

MD5
7181382a62491511c3807a15f646ef98

SHA1
4cee9b0cd37283d292c8af1bfc01da364e6439ae

SHA256
d214412fc1b776e918c3055e0f6a43f38ca5ede46f3afa5b24a6947ffda8b6f2

SHA512
0bf295a7057bdb8bc5de8e95a742fe22f903b495f2e7f6a6e289e8f15cbc58a2892abd33afc89979c8e5d1bf25337c0468de5e2fc272b52d079de2ecd4d3d0c4

Download Submit
memory/4920-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download