Analysis

  • max time kernel
    28s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2022 10:41

General

  • Target

    bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

  • Size

    138KB

  • MD5

    f62bb82db62dd6b80908dcd79ea51fb2

  • SHA1

    e635ba1b935adf31ffd055d71884098567b3dd4f

  • SHA256

    bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

  • SHA512

    869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

  • SSDEEP

    3072:dsFd0klDWOsja1mrT0CowNJ8s540uUf0WccH2hgcD:QWHrYNwNeQEBgc

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2528
    • C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
      "C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"
      1⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe
        "C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe" 8 LAN
        2⤵
        • Executes dropped EXE
        PID:2520
      • C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe
        "C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe" 8 LAN
        2⤵
        • Executes dropped EXE
        PID:3944
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        2⤵
          PID:3240
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:1444
          • C:\Windows\System32\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            2⤵
              PID:3764
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:1828

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe

              Filesize

              138KB

              MD5

              f62bb82db62dd6b80908dcd79ea51fb2

              SHA1

              e635ba1b935adf31ffd055d71884098567b3dd4f

              SHA256

              bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

              SHA512

              869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

            • C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe

              Filesize

              138KB

              MD5

              f62bb82db62dd6b80908dcd79ea51fb2

              SHA1

              e635ba1b935adf31ffd055d71884098567b3dd4f

              SHA256

              bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

              SHA512

              869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

            • C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe

              Filesize

              138KB

              MD5

              f62bb82db62dd6b80908dcd79ea51fb2

              SHA1

              e635ba1b935adf31ffd055d71884098567b3dd4f

              SHA256

              bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

              SHA512

              869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

            • C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe

              Filesize

              138KB

              MD5

              f62bb82db62dd6b80908dcd79ea51fb2

              SHA1

              e635ba1b935adf31ffd055d71884098567b3dd4f

              SHA256

              bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

              SHA512

              869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

            • memory/2528-139-0x00007FF611270000-0x00007FF6113D4000-memory.dmp

              Filesize

              1.4MB

            • memory/2560-143-0x00007FF611270000-0x00007FF6113D4000-memory.dmp

              Filesize

              1.4MB