c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9

Analysis

max time kernel
151s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe
Size

439KB
MD5

8e21a2293f84c9e15365ac7765c8a7fe
SHA1

3fe6eaea02022ac80820824b9d9a9763847daedf
SHA256

c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9
SHA512

de29d4c53e95594adf4e0c8730109050dab41d664911f70626d163dabc87ed9a1815b7800994777215b99890458a1fd2fcad098ae3bafc02c70cdf60d2b53331
SSDEEP

6144:5ZunObR8sVImcyYC5JHz3jzB8kOQIq+3mxkyJIrC+J/pbKvCB23xqy7uXhY7pOKs:WK+mzX/6Y+4hupHQYyqXh6ZyDlgC9

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3396	loadwg.exe
4768	jxqy2wg.exe
4160	gth93328.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e3f-133.dat	upx
behavioral2/files/0x0008000000022e3f-134.dat	upx
behavioral2/memory/3396-135-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/files/0x0007000000022e43-138.dat	upx
behavioral2/files/0x0007000000022e43-137.dat	upx
behavioral2/memory/4768-139-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/3396-146-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe

Loads dropped DLL 2 IoCs

pid	Process
4768	jxqy2wg.exe
4160	gth93328.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3396-135-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3396-146-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmsfc1.dll	jxqy2wg.exe
File opened for modification	C:\Windows\SysWOW64\mmsfc1.dll	jxqy2wg.exe
File created	C:\Windows\SysWOW64\ComRes.dll	jxqy2wg.exe
File created	C:\Windows\SysWOW64\gth93328.exe	jxqy2wg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fonts\ComRes.dll	jxqy2wg.exe
File created	C:\Windows\fonts\gth93328.ttf	jxqy2wg.exe
File created	C:\Windows\fonts\gth93328.fon	jxqy2wg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3396	loadwg.exe
3396	loadwg.exe
4768	jxqy2wg.exe
4768	jxqy2wg.exe
4160	gth93328.exe
4160	gth93328.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3396	loadwg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4160	gth93328.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3396	4944	c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe	81
PID 4944 wrote to memory of 3396	4944	c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe	81
PID 4944 wrote to memory of 3396	4944	c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe	81
PID 3396 wrote to memory of 4768	3396	loadwg.exe	82
PID 3396 wrote to memory of 4768	3396	loadwg.exe	82
PID 3396 wrote to memory of 4768	3396	loadwg.exe	82
PID 4768 wrote to memory of 4160	4768	jxqy2wg.exe	83
PID 4768 wrote to memory of 4160	4768	jxqy2wg.exe	83
PID 4768 wrote to memory of 4160	4768	jxqy2wg.exe	83

C:\Users\Admin\AppData\Local\Temp\c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe
"C:\Users\Admin\AppData\Local\Temp\c1451de2afbbdf6c7aec05741f913331000dd7d5d95eee640e71ae6fb01b1dc9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxqy2wg.exe
    jxqy2wg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\gth93328.exe
      C:\Windows\system32\gth93328.exe C:\Windows\fonts\ComRes.dll ins C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxqy2wg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxqy2wg.exe

Filesize
13KB

MD5
f2cc9ecf99f5985a83b2b508393988b1

SHA1
46d1c0ad671f28c3d6348c05241b821b7b548403

SHA256
5aacabfd8df35f5dc68bd8b53f7d8d5934b821dd783fd45eafc86cdda0b9fc62

SHA512
d60374ae25c4710b5a7a543b93142aa1bb6bd1f82efc5745cb0397bf44ea0c5880e7f0a6f483101844137de47fe7933e9bd2a1cda172733407898ef29c0cd4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxqy2wg.exe

Filesize
13KB

MD5
f2cc9ecf99f5985a83b2b508393988b1

SHA1
46d1c0ad671f28c3d6348c05241b821b7b548403

SHA256
5aacabfd8df35f5dc68bd8b53f7d8d5934b821dd783fd45eafc86cdda0b9fc62

SHA512
d60374ae25c4710b5a7a543b93142aa1bb6bd1f82efc5745cb0397bf44ea0c5880e7f0a6f483101844137de47fe7933e9bd2a1cda172733407898ef29c0cd4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
334KB

MD5
bae3eb4767317ba6eb0805347f32c66c

SHA1
644ae6e107658e478f15dfce652fcb0e4e493af6

SHA256
a982cdae025294cc536d2d429205151e6934dd54b2850af220bed6f58f4c1dfb

SHA512
01ce521798e583be251839f53397b104b35aec8800e282496196824163138efc866f553805c330bdf5653b16c215eafb07a0ea08a0fb122a28f0d4d72298160e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
334KB

MD5
bae3eb4767317ba6eb0805347f32c66c

SHA1
644ae6e107658e478f15dfce652fcb0e4e493af6

SHA256
a982cdae025294cc536d2d429205151e6934dd54b2850af220bed6f58f4c1dfb

SHA512
01ce521798e583be251839f53397b104b35aec8800e282496196824163138efc866f553805c330bdf5653b16c215eafb07a0ea08a0fb122a28f0d4d72298160e

Download Submit
C:\Windows\Fonts\ComRes.dll

Filesize
11KB

MD5
83c8f3d19f6fc955b963d96b7fc2ed31

SHA1
3711484927df300f62f3d489dccf8434994ca823

SHA256
368e0ed94f1d475bfe6fe18832fc4e7a4076f91603ece6705e89aeda69ddc160

SHA512
b112aab208edef0ed00b52a204a18c3d593c1bcc750556a6059f10c620e002b62c88d03eea2ad14e9ab8a80227bbb66e5e046a9a93786265172a04548f99ee8d

Download Submit
C:\Windows\SysWOW64\gth93328.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\gth93328.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\mmsfc1.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\fonts\ComRes.dll

Filesize
11KB

MD5
83c8f3d19f6fc955b963d96b7fc2ed31

SHA1
3711484927df300f62f3d489dccf8434994ca823

SHA256
368e0ed94f1d475bfe6fe18832fc4e7a4076f91603ece6705e89aeda69ddc160

SHA512
b112aab208edef0ed00b52a204a18c3d593c1bcc750556a6059f10c620e002b62c88d03eea2ad14e9ab8a80227bbb66e5e046a9a93786265172a04548f99ee8d

Download Submit
memory/3396-135-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3396-146-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4768-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download