1cef9532756d1c16cb6034c73feb63f9b18a269cccf4fcf07cf92eb9106eedfb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Size

449KB
MD5

010510fa1699192fcf419d8d0979d326
SHA1

90e52323fbe695e19b12eb19abadd54140bc8bfa
SHA256

3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
SHA512

163f2ea50a79ece7d380d0d34224caab011ea7e6ee4900e184db602feb1f6119abc0478e5a2c5ab73ca8a02ac555f8103787dcad38050ec1b1e60d4acaa979e7
SSDEEP

6144:2Ya6r7pbu7cahyvQjwEPM9lKH9bZey354wS/yPulz75aWWvSZf:2YnQVhy7uMSdbZey3if/y2t9aLw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	spfxemttfw.exe

Executes dropped EXE 2 IoCs

pid	Process
4720	spfxemttfw.exe
4408	spfxemttfw.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 4408	4720	spfxemttfw.exe	86
PID 4408 set thread context of 3140	4408	spfxemttfw.exe	18
PID 2644 set thread context of 3140	2644	help.exe	18

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4720	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
4408	spfxemttfw.exe
2644	help.exe
2644	help.exe
2644	help.exe
2644	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	spfxemttfw.exe
Token: SeDebugPrivilege	2644	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4720	1336	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	85
PID 1336 wrote to memory of 4720	1336	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	85
PID 1336 wrote to memory of 4720	1336	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	85
PID 4720 wrote to memory of 4408	4720	spfxemttfw.exe	86
PID 4720 wrote to memory of 4408	4720	spfxemttfw.exe	86
PID 4720 wrote to memory of 4408	4720	spfxemttfw.exe	86
PID 4720 wrote to memory of 4408	4720	spfxemttfw.exe	86
PID 3140 wrote to memory of 2644	3140	Explorer.EXE	87
PID 3140 wrote to memory of 2644	3140	Explorer.EXE	87
PID 3140 wrote to memory of 2644	3140	Explorer.EXE	87
PID 2644 wrote to memory of 1208	2644	help.exe	94
PID 2644 wrote to memory of 1208	2644	help.exe	94
PID 2644 wrote to memory of 1208	2644	help.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
  "C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe
    "C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe" C:\Users\Admin\AppData\Local\Temp\xzrym.t
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe
      "C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4408
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dpitja.cp

Filesize
205KB

MD5
bedab9ae8e5cdc69d5cb83a001694e04

SHA1
72704a6f4251f8fd48ebe7bc61211e305d0f6cbf

SHA256
7ca8d817d6c32cefa8872e1d31ec84694440a301f5d1330217c5569774e6dc92

SHA512
64159a0fcc2ec5d1ed221ac5a3458fccd8d9cbfcbd6854987775a74eecc759e5a75333a04a324f86991ac6b5e7b7d387952d98e59e8fde05c5cbf50dedc6794a

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzrym.t

Filesize
5KB

MD5
83fdbf1ffe575a7636e3686d4a09a5dd

SHA1
75b33c714338f4205af1ff99dfa81448d1121e39

SHA256
1764c92545c4e0ce4584b6b507eff208e466398e29bb17b12371b1934617ffc1

SHA512
eca6efe2b7b40ef1266a93d25b56bbdf6b71024d719c2ae0f6a59248af50be901139566916df601e60909e07437dbcca157036a5398a385257654db106753b7a

Download Submit
memory/2644-154-0x0000000001650000-0x000000000199A000-memory.dmp

Filesize
3.3MB

Download
memory/2644-153-0x0000000000EF0000-0x0000000000F1D000-memory.dmp

Filesize
180KB

Download
memory/2644-150-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/2644-155-0x0000000001490000-0x000000000151F000-memory.dmp

Filesize
572KB

Download
memory/2644-152-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/3140-165-0x0000000007CB0000-0x0000000007D98000-memory.dmp

Filesize
928KB

Download
memory/3140-156-0x0000000007CB0000-0x0000000007D98000-memory.dmp

Filesize
928KB

Download
memory/3140-157-0x0000000007CB0000-0x0000000007D98000-memory.dmp

Filesize
928KB

Download
memory/3140-149-0x00000000026B0000-0x00000000027BA000-memory.dmp

Filesize
1.0MB

Download
memory/4408-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-148-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/4408-147-0x0000000001910000-0x0000000001C5A000-memory.dmp

Filesize
3.3MB

Download
memory/4408-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download