697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d

Analysis

max time kernel
135s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe
Size

900KB
MD5

198f415b24b28b8990a1f8f23d352150
SHA1

4495cda6c0d58c6b63fc0d7a8140136a62b04acb
SHA256

697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d
SHA512

f2408acb5bb6e8d521fdc0112f58d5ba9051cec8cde46c45771f95e476299c797537ae3d1185df2ddd0d6620d76740fc9ee0ee2f35386576936c2cb6031f4c0d
SSDEEP

24576:/Wb6aXAxG3hB4LzNnAyXo/HrbszVjZGwcUhULRAB8s:9wxB4JARvrwVjwUhEmB8s

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1476	1.exe
3772	1.exe
204	CLOCXS~1.EXE
5040	ClocX.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000022def-133.dat	upx
behavioral2/files/0x0004000000022def-134.dat	upx
behavioral2/memory/1476-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0004000000022def-140.dat	upx
behavioral2/memory/1476-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0001000000022e10-148.dat	upx
behavioral2/files/0x0001000000022e10-149.dat	upx
behavioral2/memory/5040-153-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/5040-156-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CLOCXS~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 3772	1476	1.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3772	1.exe
3772	1.exe
3772	1.exe
3772	1.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe
5040	ClocX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1476	1.exe
5040	ClocX.exe
5040	ClocX.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1476	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	83
PID 400 wrote to memory of 1476	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	83
PID 400 wrote to memory of 1476	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	83
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 1476 wrote to memory of 3772	1476	1.exe	84
PID 400 wrote to memory of 204	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	85
PID 400 wrote to memory of 204	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	85
PID 400 wrote to memory of 204	400	697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe	85
PID 204 wrote to memory of 5040	204	CLOCXS~1.EXE	86
PID 204 wrote to memory of 5040	204	CLOCXS~1.EXE	86
PID 204 wrote to memory of 5040	204	CLOCXS~1.EXE	86
PID 3772 wrote to memory of 2440	3772	1.exe	54
PID 3772 wrote to memory of 2440	3772	1.exe	54
PID 3772 wrote to memory of 2440	3772	1.exe	54
PID 3772 wrote to memory of 2440	3772	1.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe
  "C:\Users\Admin\AppData\Local\Temp\697e62397fc23378fba522e74ea346037d824a3eaf9f6bd327463ec9f407801d.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLOCXS~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLOCXS~1.EXE
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ClocX.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ClocX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
59KB

MD5
20003d25cef119d2c03e70fb332adbc3

SHA1
7170c157aac6d51b7ac9d6d161106b504ea275bd

SHA256
a687665a2f6fc8f137fbd4564a56a603c7e98c5322c2063e3a39ef61509cea53

SHA512
9b92a48609b71dd7b30407817e12a5cae2a28daad5213cf38a4407a6b8bc24688a6a6194c4ff28afa84c57f788a0c4352697cc775505dd1e549cdbfba16235b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
59KB

MD5
20003d25cef119d2c03e70fb332adbc3

SHA1
7170c157aac6d51b7ac9d6d161106b504ea275bd

SHA256
a687665a2f6fc8f137fbd4564a56a603c7e98c5322c2063e3a39ef61509cea53

SHA512
9b92a48609b71dd7b30407817e12a5cae2a28daad5213cf38a4407a6b8bc24688a6a6194c4ff28afa84c57f788a0c4352697cc775505dd1e549cdbfba16235b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
59KB

MD5
20003d25cef119d2c03e70fb332adbc3

SHA1
7170c157aac6d51b7ac9d6d161106b504ea275bd

SHA256
a687665a2f6fc8f137fbd4564a56a603c7e98c5322c2063e3a39ef61509cea53

SHA512
9b92a48609b71dd7b30407817e12a5cae2a28daad5213cf38a4407a6b8bc24688a6a6194c4ff28afa84c57f788a0c4352697cc775505dd1e549cdbfba16235b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLOCXS~1.EXE

Filesize
833KB

MD5
0dcc426207c512d94489e8ef441d8fdb

SHA1
5a9e252b90fbc641d5cda07e03855179f5a8ee02

SHA256
60b0ac49eab24a7b2903ff3583d9d8f7e1af9eab8535779ced4a771cce7b17d7

SHA512
5b1854f77025ebb12f531201b300ce59a6ca56f893e2d104e8cde02577b38a7b92638d1590343e288847c648aaed09f20da5d46479721b1156b283e0ee7098c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLOCXS~1.EXE

Filesize
833KB

MD5
0dcc426207c512d94489e8ef441d8fdb

SHA1
5a9e252b90fbc641d5cda07e03855179f5a8ee02

SHA256
60b0ac49eab24a7b2903ff3583d9d8f7e1af9eab8535779ced4a771cce7b17d7

SHA512
5b1854f77025ebb12f531201b300ce59a6ca56f893e2d104e8cde02577b38a7b92638d1590343e288847c648aaed09f20da5d46479721b1156b283e0ee7098c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ClocX.exe

Filesize
101KB

MD5
fb2060dd6983a555be9e06d961a61f04

SHA1
046e1d266541f3f36c241a5ebdc51bf5bf74da26

SHA256
458d8ff6c5c6e50b1b399c0cf470d2f5c41155135ad88d1461861d447655e24e

SHA512
76174713e0c6246529faa5c968889f36139e7f6ca60d5f72183ccf830cc23f3384839a15130c68a9c557d20f208fcfa792d902203c57f24a2c864aafd2174526

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ClocX.exe

Filesize
101KB

MD5
fb2060dd6983a555be9e06d961a61f04

SHA1
046e1d266541f3f36c241a5ebdc51bf5bf74da26

SHA256
458d8ff6c5c6e50b1b399c0cf470d2f5c41155135ad88d1461861d447655e24e

SHA512
76174713e0c6246529faa5c968889f36139e7f6ca60d5f72183ccf830cc23f3384839a15130c68a9c557d20f208fcfa792d902203c57f24a2c864aafd2174526

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lang\english.lng

Filesize
1KB

MD5
b9d183177a3683b3903fe1ba2479b3e0

SHA1
9f0a96887fe649be1f85354037cbeed15cd3fde1

SHA256
38bde16b0becfe8518e55dca0026a152ff70729094d62cc8c8b2e2c38ffb64bb

SHA512
9a39b4a31fef085ce833080d46a5baca71cbc75c7d0334c8359e5ab7db5c5a799257f7d82bdf60b396d6390e2e982fb61692b0d68b550fc05ede6ef62ab84e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Presets\default.INI

Filesize
1KB

MD5
86862ce9f45c02ea47039d62c48e8da7

SHA1
071e3f49d8a6a875e60becef89d375c1d2b48cef

SHA256
a74c8cea1676ce0d492f5b1fbfc0094d8e7057b882e128fc7245a5ba5acbc911

SHA512
abb9b5e874d607b09a592903075fbbe611fbae5bf1e8956cdbc00faf9c92a1e78cd45c6406f1e92dbd0863d1a2eeb6e84e30c111d22e560896df1c11ae6d8326

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Presets\default.bmp

Filesize
43KB

MD5
0358e472737300b9b2eee897f77fe087

SHA1
f637295945d056d1fdfce5f0f5a0571534b24c45

SHA256
9353998033ec9b6bec6f17680af57940283c84ea0aa99a22dbdcc34c42ec5383

SHA512
9f88c50d3efc1ec390e115049f44c38499c32b94df3c1b9de4b7da54a070244d36bca26365e0eb61ce8019c7e6c33ecfe789dc736b2f4707e87bc337174a665a

Download Submit
memory/1476-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1476-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2440-154-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3772-146-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3772-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3772-155-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/5040-153-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5040-156-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download