e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12

Analysis

max time kernel
206s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe
Size

6.1MB
MD5

40de9bc019a2e146176bc08ca55aa40a
SHA1

8e8cdf42361633e5f4a73009e1babc8117012874
SHA256

e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12
SHA512

1627448946db1ff9b0bed44ce0346b573c2602e9c443fbeb84729a60f4ddc8b5c0b456230d40268a66f4d8c896225e4605238ba693623255eed65d34fd58560a
SSDEEP

24576:kDyTFtjYDyTFtjSDyTFtjXDyTFtjgDyTFtj1DyTFtjyDyTFtj:dtFtTt8tNtutTt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1576	tmp240640656.exe
1008	tmp240640781.exe
1088	notpad.exe
1872	tmp240659656.exe
1092	tmp240670640.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2712-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022e14-141.dat	upx
behavioral2/files/0x0008000000022e14-142.dat	upx
behavioral2/memory/1088-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1088-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1088-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp240640656.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240640656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240640656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640656.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	1008	WerFault.exe	86

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640656.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1576	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	85
PID 2712 wrote to memory of 1576	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	85
PID 2712 wrote to memory of 1576	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	85
PID 2712 wrote to memory of 1008	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	86
PID 2712 wrote to memory of 1008	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	86
PID 2712 wrote to memory of 1008	2712	e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe	86
PID 1576 wrote to memory of 1088	1576	tmp240640656.exe	92
PID 1576 wrote to memory of 1088	1576	tmp240640656.exe	92
PID 1576 wrote to memory of 1088	1576	tmp240640656.exe	92
PID 1088 wrote to memory of 1872	1088	notpad.exe	94
PID 1088 wrote to memory of 1872	1088	notpad.exe	94
PID 1088 wrote to memory of 1872	1088	notpad.exe	94
PID 1088 wrote to memory of 1092	1088	notpad.exe	95
PID 1088 wrote to memory of 1092	1088	notpad.exe	95
PID 1088 wrote to memory of 1092	1088	notpad.exe	95

C:\Users\Admin\AppData\Local\Temp\e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe
"C:\Users\Admin\AppData\Local\Temp\e64157b8f2b1a2896f61b56605a1f9ebafc15a90fe8336f1fc4ac4785ab5fd12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
      4⤵
      Executes dropped EXE
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\tmp240670640.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240670640.exe
      4⤵
      Executes dropped EXE
      PID:1092
- C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 224
    3⤵
    - Program crash
    PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1008 -ip 1008
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe

Filesize
5.9MB

MD5
43b2dbedcbfac379185a4872001261f2

SHA1
b7afa67c8f96375c5f1ed5c7a767bd663ccb9d48

SHA256
3a0885569b36a5b2e5408bd6af549326490bb535d1bca79ce1165129c917b287

SHA512
d6efe14315e5aebca09c1684b3565ae7a35a0e318b8aaa706d18d5bddbfa73e3cf82910033571dfca079afc090bfc46f2781ce57522377a773d82dd6c0e363bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe

Filesize
5.9MB

MD5
43b2dbedcbfac379185a4872001261f2

SHA1
b7afa67c8f96375c5f1ed5c7a767bd663ccb9d48

SHA256
3a0885569b36a5b2e5408bd6af549326490bb535d1bca79ce1165129c917b287

SHA512
d6efe14315e5aebca09c1684b3565ae7a35a0e318b8aaa706d18d5bddbfa73e3cf82910033571dfca079afc090bfc46f2781ce57522377a773d82dd6c0e363bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe

Filesize
136KB

MD5
b6a26e68e2220e8c59df5948013f86dd

SHA1
280838f4ed336981a8f25478dbcc4bf6aec66af5

SHA256
4d15001d435a8d1f5178ab7760fe7a70f28daeddd0b7e0f6738414f55daef134

SHA512
be47b88249d3345266d86ffe0e0131216ed25664c64ab111765615e906e1cbff02fa4fd3862d352a09af50b0f77a8b632d523236d4011e7017b4ddbefe3ac9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe

Filesize
136KB

MD5
b6a26e68e2220e8c59df5948013f86dd

SHA1
280838f4ed336981a8f25478dbcc4bf6aec66af5

SHA256
4d15001d435a8d1f5178ab7760fe7a70f28daeddd0b7e0f6738414f55daef134

SHA512
be47b88249d3345266d86ffe0e0131216ed25664c64ab111765615e906e1cbff02fa4fd3862d352a09af50b0f77a8b632d523236d4011e7017b4ddbefe3ac9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe

Filesize
5.9MB

MD5
43b2dbedcbfac379185a4872001261f2

SHA1
b7afa67c8f96375c5f1ed5c7a767bd663ccb9d48

SHA256
3a0885569b36a5b2e5408bd6af549326490bb535d1bca79ce1165129c917b287

SHA512
d6efe14315e5aebca09c1684b3565ae7a35a0e318b8aaa706d18d5bddbfa73e3cf82910033571dfca079afc090bfc46f2781ce57522377a773d82dd6c0e363bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe

Filesize
5.9MB

MD5
43b2dbedcbfac379185a4872001261f2

SHA1
b7afa67c8f96375c5f1ed5c7a767bd663ccb9d48

SHA256
3a0885569b36a5b2e5408bd6af549326490bb535d1bca79ce1165129c917b287

SHA512
d6efe14315e5aebca09c1684b3565ae7a35a0e318b8aaa706d18d5bddbfa73e3cf82910033571dfca079afc090bfc46f2781ce57522377a773d82dd6c0e363bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240670640.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
63f512763d5fad66df6cd747077bb64f

SHA1
fb2797ddf3c1f67863513a51ea4aa3aad36eacd7

SHA256
6738c4f951b7f540bdd7b11b19ac769055d8a68ac61a16afd0f39215fcf0ed4f

SHA512
d10836a4dbf0fef5779f4bd441a486724933f245c391ffe929d218a1d473deab87409093f04919ccafe3fc2091aab756430445f81093eda22887894efbc32438

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.1MB

MD5
63f512763d5fad66df6cd747077bb64f

SHA1
fb2797ddf3c1f67863513a51ea4aa3aad36eacd7

SHA256
6738c4f951b7f540bdd7b11b19ac769055d8a68ac61a16afd0f39215fcf0ed4f

SHA512
d10836a4dbf0fef5779f4bd441a486724933f245c391ffe929d218a1d473deab87409093f04919ccafe3fc2091aab756430445f81093eda22887894efbc32438

Download Submit
memory/1008-139-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1088-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download