afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea

Analysis

max time kernel
158s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
Size

440KB
MD5

dd4de41028911c5d9e1565aad48e06e5
SHA1

a97a21d642390719d3b5325e3a486608423bc23b
SHA256

afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea
SHA512

e1df19247f3382f870f73330e6a2941de3a5236b4a4632d8d4b7f97533b088df3e5897ec7f97228441bf2079553ecf7607d1eac8ed0b02efefc5197bb29f4194
SSDEEP

12288:pl41zfEOYGxSp+GKMXExFVWIaK3sojsifM:T6oOx0KMwVWIaeo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	inl15FA.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	inl15FA.tmp

Loads dropped DLL 2 IoCs

pid	Process
5020	MsiExec.exe
5020	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSID1D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2C2.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bbbe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bbbe.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2532	msiexec.exe
Token: SeSecurityPrivilege	4916	msiexec.exe
Token: SeCreateTokenPrivilege	2532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2532	msiexec.exe
Token: SeLockMemoryPrivilege	2532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2532	msiexec.exe
Token: SeMachineAccountPrivilege	2532	msiexec.exe
Token: SeTcbPrivilege	2532	msiexec.exe
Token: SeSecurityPrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeLoadDriverPrivilege	2532	msiexec.exe
Token: SeSystemProfilePrivilege	2532	msiexec.exe
Token: SeSystemtimePrivilege	2532	msiexec.exe
Token: SeProfSingleProcessPrivilege	2532	msiexec.exe
Token: SeIncBasePriorityPrivilege	2532	msiexec.exe
Token: SeCreatePagefilePrivilege	2532	msiexec.exe
Token: SeCreatePermanentPrivilege	2532	msiexec.exe
Token: SeBackupPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeShutdownPrivilege	2532	msiexec.exe
Token: SeDebugPrivilege	2532	msiexec.exe
Token: SeAuditPrivilege	2532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2532	msiexec.exe
Token: SeChangeNotifyPrivilege	2532	msiexec.exe
Token: SeRemoteShutdownPrivilege	2532	msiexec.exe
Token: SeUndockPrivilege	2532	msiexec.exe
Token: SeSyncAgentPrivilege	2532	msiexec.exe
Token: SeEnableDelegationPrivilege	2532	msiexec.exe
Token: SeManageVolumePrivilege	2532	msiexec.exe
Token: SeImpersonatePrivilege	2532	msiexec.exe
Token: SeCreateGlobalPrivilege	2532	msiexec.exe
Token: SeIncBasePriorityPrivilege	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2816	inl15FA.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 3440	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	81
PID 668 wrote to memory of 3440	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	81
PID 668 wrote to memory of 3440	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	81
PID 668 wrote to memory of 2532	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	83
PID 668 wrote to memory of 2532	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	83
PID 668 wrote to memory of 2532	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	83
PID 668 wrote to memory of 4436	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	85
PID 668 wrote to memory of 4436	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	85
PID 668 wrote to memory of 4436	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	85
PID 668 wrote to memory of 764	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	87
PID 668 wrote to memory of 764	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	87
PID 668 wrote to memory of 764	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	87
PID 668 wrote to memory of 3164	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	89
PID 668 wrote to memory of 3164	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	89
PID 668 wrote to memory of 3164	668	afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe	89
PID 764 wrote to memory of 3568	764	cmd.exe	91
PID 764 wrote to memory of 3568	764	cmd.exe	91
PID 764 wrote to memory of 3568	764	cmd.exe	91
PID 4436 wrote to memory of 2816	4436	cmd.exe	94
PID 4436 wrote to memory of 2816	4436	cmd.exe	94
PID 4436 wrote to memory of 2816	4436	cmd.exe	94
PID 4916 wrote to memory of 5020	4916	msiexec.exe	96
PID 4916 wrote to memory of 5020	4916	msiexec.exe	96
PID 4916 wrote to memory of 5020	4916	msiexec.exe	96
PID 2816 wrote to memory of 1600	2816	inl15FA.tmp	97
PID 2816 wrote to memory of 1600	2816	inl15FA.tmp	97
PID 2816 wrote to memory of 1600	2816	inl15FA.tmp	97

C:\Users\Admin\AppData\Local\Temp\afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
"C:\Users\Admin\AppData\Local\Temp\afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  PID:3440
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insFA72.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp
    C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp > nul
      4⤵
      PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AFC0AF~1.EXE > nul
  2⤵
  PID:3164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1D87255025F69FF5BCB719E8C04C2745
  2⤵
  - Loads dropped DLL
  PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp

Filesize
57.2MB

MD5
d09752b3050c222dcce272247b834031

SHA1
b649230c72a345e76535a4ca5fa312396d8cf106

SHA256
ffafb18f5f8094df53f99885b1d722d469192605ae41f2b51baab5d69650952b

SHA512
417da071279decdf01565fdd8e4d446dd7f02906f770133c9bbd6fa57740968e9357c7dcc388926bf2bb6693d17783702c7d639272086890a07cc3ee375526b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp

Filesize
57.2MB

MD5
d09752b3050c222dcce272247b834031

SHA1
b649230c72a345e76535a4ca5fa312396d8cf106

SHA256
ffafb18f5f8094df53f99885b1d722d469192605ae41f2b51baab5d69650952b

SHA512
417da071279decdf01565fdd8e4d446dd7f02906f770133c9bbd6fa57740968e9357c7dcc388926bf2bb6693d17783702c7d639272086890a07cc3ee375526b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\insFA72.tmp.msi

Filesize
57.5MB

MD5
3bcb82675e41906539bb4d680192571d

SHA1
ac745d3bbbf7d6cc28abd13b4fb9574a65521c58

SHA256
6204fdcacf433ce399ef25d5363777f63f918ec723724b7a1e6f3a265e6869eb

SHA512
c94d9f15a2dcb10ba65b5c5099b68495fe5476991b4f019e3354f3335ec2f2231ecfa2069d0a2abaa593fa9de640cd33b75d0c5f3951cce9e1b6839baf412b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
4eac7675947829f5b7d6e153b95092e3

SHA1
73d582f6bc3aa59d3bdb1718aa5f9055b92b0235

SHA256
9becc0a72400ac3388fb20c4b43866ae6cdb4fcab3bdbe6c0490f72eeefe2159

SHA512
fe7af2ee7fa01a9ee43028e92503f3570739ad89dcfec707a6678c729df04b8aa9c0dbe60fb809e0be962514b23941c7a65475f4890c45545cce2e3bb985fe1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
26B

MD5
49cb42ed4e90c1df7d7bd69348b4cac9

SHA1
0e06e4b6201177a24c304b02fb052d6f5393f314

SHA256
0fe404e349177b204405181c00c357c1ac82cbd04ca450e2faebeead2ef54b6d

SHA512
e42e038acbbf58c17a2fd0353b14f65d360ec886aafdade4e1d71ca45f9852d01a080a9d09676008aa15296a4ac87eb1ff6e29523d057f1d4452e21776cbc319

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\Installer\MSID1D7.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID1D7.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID2C2.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID2C2.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/668-132-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/668-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download