18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3

Analysis

max time kernel
205s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe
Size

1.0MB
MD5

5b6c66e563d58f109037893a00ec2597
SHA1

ce6305c94ab8a67ec6fac0e27fddf22c96a0e550
SHA256

18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3
SHA512

36b56994424b2d15690b681eae89d70618bf8905731c22ad647e566ba450172b5c9f543c38addb80b32ce350ca8ba0494ab4fafb1294cbd7582135cb4d77526d
SSDEEP

12288:oP97VMS8Btcq58JYuQmRR2geC/nEXn0vVybfitBZLr:SxVb83cq5wQmRQgeCvc0vVsiTLr

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tmpsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winlogon = "C:\\Windows\\system32\\syslg.exe"	tmpsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\status = "C:\\Windows\\system32\\syslg.exe"	tmpsetup.exe

Executes dropped EXE 4 IoCs

pid	Process
4468	both.exe
4696	thsscan.exe
2476	setuploader.exe
2084	tmpsetup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	both.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntfsv.exe	setuploader.exe
File opened for modification	C:\Windows\SysWOW64\ntfsv.exe	setuploader.exe
File created	C:\Windows\SysWOW64\syslg.exe	tmpsetup.exe
File opened for modification	C:\Windows\SysWOW64\syslg.exe	tmpsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe
2476	setuploader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	tmpsetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2476	setuploader.exe
2084	tmpsetup.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4468	both.exe
2476	setuploader.exe
2084	tmpsetup.exe
2084	tmpsetup.exe
2084	tmpsetup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4468	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	87
PID 5088 wrote to memory of 4468	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	87
PID 5088 wrote to memory of 4468	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	87
PID 5088 wrote to memory of 4696	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	88
PID 5088 wrote to memory of 4696	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	88
PID 5088 wrote to memory of 4696	5088	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	88
PID 4468 wrote to memory of 2476	4468	both.exe	92
PID 4468 wrote to memory of 2476	4468	both.exe	92
PID 4468 wrote to memory of 2476	4468	both.exe	92
PID 4468 wrote to memory of 2084	4468	both.exe	94
PID 4468 wrote to memory of 2084	4468	both.exe	94
PID 4468 wrote to memory of 2084	4468	both.exe	94

C:\Users\Admin\AppData\Local\Temp\18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe
"C:\Users\Admin\AppData\Local\Temp\18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\both.exe
  "C:\Users\Admin\AppData\Local\Temp\both.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\setuploader.exe
    "C:\Users\Admin\setuploader.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\thsscan.exe
  "C:\Users\Admin\AppData\Local\Temp\thsscan.exe"
  2⤵
  - Executes dropped EXE
  PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\thsscan.exe

Filesize
517KB

MD5
8c1e53f34d0e6b731ec5c7e2fb18fd74

SHA1
94e98a3eac738466a5e53fb2e57c39666488b5db

SHA256
768ce6276d73ee630bdcd5c230517729b83df4fadf0325ed621525ff9d59535f

SHA512
311bd75bd99c7716503e5bf32233cf28036017a84049b3bb35f1c066718e5d725c16c63908701db4f316ffb1811fa2dcd7d0ce00543ca8c30677f7a85ff39663

Download Submit
C:\Users\Admin\AppData\Local\Temp\thsscan.exe

Filesize
517KB

MD5
8c1e53f34d0e6b731ec5c7e2fb18fd74

SHA1
94e98a3eac738466a5e53fb2e57c39666488b5db

SHA256
768ce6276d73ee630bdcd5c230517729b83df4fadf0325ed621525ff9d59535f

SHA512
311bd75bd99c7716503e5bf32233cf28036017a84049b3bb35f1c066718e5d725c16c63908701db4f316ffb1811fa2dcd7d0ce00543ca8c30677f7a85ff39663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
2f69578a66a611a8836a258252e83b7d

SHA1
bfac4dad65557d2e17c12b01db6b720f27704642

SHA256
ebcca18b66e4d636042ace5e47068e79931cc9946121da8786590a1f99525486

SHA512
dd57286bba17e614f40cf3193468075803948027bb2b11dcdb879a30a4d7c6a51e5674e323bad17038ebdd133a9529ff56535b472d3e5e3a3c29bdbb7e005c94

Download Submit
C:\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
C:\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
memory/5088-132-0x00007FFC12280000-0x00007FFC12CB6000-memory.dmp

Filesize
10.2MB

Download