27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b

Analysis

max time kernel
155s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe
Size

1.6MB
MD5

055f4404c4fa658b051a226d2be7fef7
SHA1

67bd43a985ac7cd05da93d1f5f57cda2154e9e6b
SHA256

27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b
SHA512

1d9004347830d9bb7d36d0152a70177e5026bf6a1cad356097635363af701bdf6066140ca93486f6cd3065016e9af51e00f895a788ab76a797722d5326334e80
SSDEEP

49152:zSU7M2iHGFL0S+IwMcrO1/PP1CWYGpRFROiw:zl7emF0S+H3SPPEWYORFR9w

Score

9^/10

evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ctfmon.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	ctfmon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine	ctfmon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\windows\\ctfmon.exe"	ctfmon.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4832	ctfmon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240570593	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe
File created	C:\Windows\ctfmon.exe	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe
File opened for modification	C:\Windows\ctfmon.exe	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe
4832	ctfmon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4832	2116	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe	79
PID 2116 wrote to memory of 4832	2116	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe	79
PID 2116 wrote to memory of 4832	2116	27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe	79

C:\Users\Admin\AppData\Local\Temp\27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe
"C:\Users\Admin\AppData\Local\Temp\27538571cb75cbb274d3309364a8eaf94d76fe06db8d9b10448615f74517fb8b.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2116
- C:\windows\ctfmon.exe
  "C:\windows\ctfmon.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ctfmon.exe

Filesize
1.5MB

MD5
111f20401702b3f2eb0eedf5dd4b9c21

SHA1
d6887d7f1f2909bda35965f6d5727d15bbfd343f

SHA256
345799b219fed6591a725402b251741a8dd9d8accf51c1c578212295b3bbb18e

SHA512
b7dd13d56787dda5e11d8be381d193d36cf8847a7c515c85213abbf74c45cafa22eea4161f761e9b6a5cf6595bb973d1be4e16a9b63e3d44d88e0a5d53927570

Download Submit
C:\windows\ctfmon.exe

Filesize
1.5MB

MD5
111f20401702b3f2eb0eedf5dd4b9c21

SHA1
d6887d7f1f2909bda35965f6d5727d15bbfd343f

SHA256
345799b219fed6591a725402b251741a8dd9d8accf51c1c578212295b3bbb18e

SHA512
b7dd13d56787dda5e11d8be381d193d36cf8847a7c515c85213abbf74c45cafa22eea4161f761e9b6a5cf6595bb973d1be4e16a9b63e3d44d88e0a5d53927570

Download Submit
memory/4832-136-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4832-137-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download
memory/4832-138-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4832-139-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4832-140-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download
memory/4832-141-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download