Analysis
-
max time kernel
90s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
f531ce7ae00aa330d78a225784ed8547.exe
Resource
win7-20221111-en
General
-
Target
f531ce7ae00aa330d78a225784ed8547.exe
-
Size
5.6MB
-
MD5
f531ce7ae00aa330d78a225784ed8547
-
SHA1
d852cddba6d1f2617ebb7dd95d1ad6ab20c64e70
-
SHA256
e017dd97109b67d634e66b76676a1e840612418cfa45ed5bbee319871911f197
-
SHA512
f1ca41143adde44c849dc62718cfa928f1d17924d1885fe812fd38e19cd204702521f20fa5d7a81075839b48638d9c248a4c1c1c9f88822fd7c31043e7f6452e
-
SSDEEP
98304:BafJVPlzBtcmiTb1qbLlGLHVN+AKjhQ5n3Y3LXb6Pkl9zSCFIX+33MLQ:BafrlDGTgbLYzVNCGn3Y7X2Py6y3M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4932 Eewfhetyyyrtfpd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation f531ce7ae00aa330d78a225784ed8547.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 640 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2632 set thread context of 1108 2632 f531ce7ae00aa330d78a225784ed8547.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1152 1108 WerFault.exe 83 3600 640 WerFault.exe 84 2348 2632 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 47 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet f531ce7ae00aa330d78a225784ed8547.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data f531ce7ae00aa330d78a225784ed8547.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f531ce7ae00aa330d78a225784ed8547.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString f531ce7ae00aa330d78a225784ed8547.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz f531ce7ae00aa330d78a225784ed8547.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1108 rundll32.exe 1108 rundll32.exe 260 chrome.exe 260 chrome.exe 640 chrome.exe 640 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4932 Eewfhetyyyrtfpd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4932 Eewfhetyyyrtfpd.exe 640 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4932 Eewfhetyyyrtfpd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 640 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 4932 2632 f531ce7ae00aa330d78a225784ed8547.exe 82 PID 2632 wrote to memory of 4932 2632 f531ce7ae00aa330d78a225784ed8547.exe 82 PID 2632 wrote to memory of 4932 2632 f531ce7ae00aa330d78a225784ed8547.exe 82 PID 2632 wrote to memory of 1108 2632 f531ce7ae00aa330d78a225784ed8547.exe 83 PID 2632 wrote to memory of 1108 2632 f531ce7ae00aa330d78a225784ed8547.exe 83 PID 2632 wrote to memory of 1108 2632 f531ce7ae00aa330d78a225784ed8547.exe 83 PID 2632 wrote to memory of 1108 2632 f531ce7ae00aa330d78a225784ed8547.exe 83 PID 640 wrote to memory of 3496 640 chrome.exe 85 PID 640 wrote to memory of 3496 640 chrome.exe 85 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 1980 640 chrome.exe 90 PID 640 wrote to memory of 260 640 chrome.exe 91 PID 640 wrote to memory of 260 640 chrome.exe 91 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92 PID 640 wrote to memory of 3604 640 chrome.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f531ce7ae00aa330d78a225784ed8547.exe"C:\Users\Admin\AppData\Local\Temp\f531ce7ae00aa330d78a225784ed8547.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 13043⤵
- Program crash
PID:1152
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 11562⤵
- Program crash
PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2d484f50,0x7fff2d484f60,0x7fff2d484f702⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,17622158795984728744,10575800029664913867,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:22⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,17622158795984728744,10575800029664913867,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1908 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,17622158795984728744,10575800029664913867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 /prefetch:82⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,17622158795984728744,10575800029664913867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:82⤵PID:860
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 640 -s 36082⤵
- Program crash
PID:3600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1108 -ip 11081⤵PID:4812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 640 -ip 6401⤵PID:2572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2632 -ip 26321⤵PID:3188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401