Analysis
-
max time kernel
91s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2023 19:31
Static task
static1
Behavioral task
behavioral1
Sample
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe
Resource
win10v2004-20220901-en
General
-
Target
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe
-
Size
923KB
-
MD5
79c9b1a93339a03631ccb0da0bb31d5d
-
SHA1
da534153487eef1ac5ae6ab56cb3483833bca238
-
SHA256
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac
-
SHA512
7fe787434dc5d2f744b2c9b4fff5ee2f184b527aac06e77a3460d6d4424bf4aad177f98c8cec2c449ff0cb4a13bcc9c58a6b3bf9aa8bb1d460f334a62fb4d987
-
SSDEEP
24576:1KWs81BSTGOY8XRNmMhOLaFAxEeQYO5gDLf3q75OkHrcdDA:4F00PBNmM0mAagnf675dYA
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe -
Executes dropped EXE 1 IoCs
Processes:
MP3SoundRecorder.exepid process 1048 MP3SoundRecorder.exe -
Loads dropped DLL 6 IoCs
Processes:
MP3SoundRecorder.exepid process 1048 MP3SoundRecorder.exe 1048 MP3SoundRecorder.exe 1048 MP3SoundRecorder.exe 1048 MP3SoundRecorder.exe 1048 MP3SoundRecorder.exe 1048 MP3SoundRecorder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MP3SoundRecorder.exepid process 1048 MP3SoundRecorder.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exedescription pid process target process PID 4916 wrote to memory of 1076 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe reg.exe PID 4916 wrote to memory of 1076 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe reg.exe PID 4916 wrote to memory of 1076 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe reg.exe PID 4916 wrote to memory of 1048 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe MP3SoundRecorder.exe PID 4916 wrote to memory of 1048 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe MP3SoundRecorder.exe PID 4916 wrote to memory of 1048 4916 e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe MP3SoundRecorder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe"C:\Users\Admin\AppData\Local\Temp\e2d22d8e75d3b27fe20add08299374c6e4e5bd72ad2f811f52f641fd7aa253ac.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" IMPORT MP3SoundRecorder.reg2⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exeFilesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MP3SoundRecorder.exeFilesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mp3dec2.dllFilesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mp3dec2.dllFilesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mp3dec2.dllFilesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\prmixer.dllFilesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\record.dllFilesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\set.iniFilesize
562B
MD508868db2c5e6fca57569adfabed44e8a
SHA166755771205768a5c409d1d29ef19cc04a4868ae
SHA25678addbbba9aba01e267f2ff2f6371dd8130e454e212b42b587e58c552253152c
SHA5129743b244d732a02a73a1962cfa7915c48edae8666702413d2fbf09b6041b8254f444b3f558bf961d6d12f44c3922132e52a9bcd95773eb16fdc95ad5ec4513ff
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ti.icoFilesize
318B
MD5134c8bed1fc5e4a3e770601ae8f27da5
SHA16ff5a0f9c9edad8a30ce4892f1b8bf3d313d2160
SHA256b736782a412a078e8d46ea43199f2f8725cb40ea470ec314763f9cb2a88c9954
SHA512237941da48a648aa55624001ad3e7f8bf2289de4d6b5fdea78c9c552c7d21cd05d2d6665fa52ac0d761bdbbe3313bf4c8ba07da8e8e8e2de48dc1e1e0670bc81
-
memory/1048-142-0x00000000006B0000-0x00000000006DC000-memory.dmpFilesize
176KB
-
memory/1048-133-0x0000000000000000-mapping.dmp
-
memory/1048-147-0x00000000023C0000-0x00000000023E8000-memory.dmpFilesize
160KB
-
memory/1076-132-0x0000000000000000-mapping.dmp