1c924e5c3639fd9af8263c985dad9d7fb41b4eb23133563362cff92f3b410f07

Analysis

max time kernel
114s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/setup.exe
Size

7.0MB
MD5

072a2efea576956e465aff2492a1c7f4
SHA1

c7ae89bf444a33d9d92584df62e16e518942b31d
SHA256

ee3875abd5d49a1891c8818820f61a1e5d0382df37b5a5b72e175b2b6c70a9c2
SHA512

5b4f4a4508d042c7554369729ca40cb16ed61f63a41996bf8689a17d0939fc95834a44e54833e50291b26df4d2f0d2877a6272039b3fc0b20dabc885eecc87eb
SSDEEP

98304:4RimgRP8n5KSBHSFDd0t2M69XpiSLMmSCh+kB63QcJ11PaKLkhd2S6amwY2hk4:rmmGmDd0tMXHMmXh+kBuhJ1IDYS6amWT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	setup.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe
1200	powershell.exe
1200	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3648	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3068	3648	setup.exe	86
PID 3648 wrote to memory of 3068	3648	setup.exe	86
PID 3648 wrote to memory of 3068	3648	setup.exe	86
PID 3648 wrote to memory of 1200	3648	setup.exe	92
PID 3648 wrote to memory of 1200	3648	setup.exe	92
PID 3648 wrote to memory of 1200	3648	setup.exe	92

C:\Users\Admin\AppData\Local\Temp\0FF1C3 2021 - by Diekrolo\M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M\files\setup.exe
"C:\Users\Admin\AppData\Local\Temp\0FF1C3 2021 - by Diekrolo\M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M\files\setup.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
95201d9e44c732d9b261b4b334505d6b

SHA1
d5f3f499ef27920d8a614152191a7e0c2f9c0264

SHA256
baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

SHA512
15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e00a3e8635b0ce783692b98b67959cc8

SHA1
0b671ce63a0b8578d499a2fa01f50230f8ebbe83

SHA256
10d1543e6c61cef1e4a278ee3ebc4c727d52a4bce11bf32eeb2a4eb89a7cf87c

SHA512
ce9d3983abcfe388a8ff1e9e6087b5c61130627fe009f6f0de42f444624dec2dc15cee11705aba9ca5b6805bb05611e7eb94dacfca8520b3ca926361be6b6493

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch

Filesize
26B

MD5
bd3457e50947d4280734e74b51b5b68d

SHA1
424635c6b5622a6c01a59d290a1c9ab8e593effc

SHA256
23d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5

SHA512
e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch

Filesize
26B

MD5
bd3457e50947d4280734e74b51b5b68d

SHA1
424635c6b5622a6c01a59d290a1c9ab8e593effc

SHA256
23d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5

SHA512
e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bsjkx4l.xa3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1200-201-0x000000007FB90000-0x000000007FBA0000-memory.dmp

Filesize
64KB

Download
memory/1200-191-0x000000006E4E0000-0x000000006E52C000-memory.dmp

Filesize
304KB

Download
memory/1200-190-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1200-179-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1200-178-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3068-141-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/3068-153-0x0000000007940000-0x0000000007972000-memory.dmp

Filesize
200KB

Download
memory/3068-166-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3068-167-0x000000007EF80000-0x000000007EF90000-memory.dmp

Filesize
64KB

Download
memory/3068-168-0x0000000007A80000-0x0000000007A96000-memory.dmp

Filesize
88KB

Download
memory/3068-169-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/3068-170-0x0000000007F10000-0x0000000007F36000-memory.dmp

Filesize
152KB

Download
memory/3068-164-0x0000000006F30000-0x0000000006F4E000-memory.dmp

Filesize
120KB

Download
memory/3068-154-0x000000006E4E0000-0x000000006E52C000-memory.dmp

Filesize
304KB

Download
memory/3068-165-0x00000000083F0000-0x0000000008A6A000-memory.dmp

Filesize
6.5MB

Download
memory/3068-152-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3068-151-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3068-135-0x00000000053A0000-0x00000000053D6000-memory.dmp

Filesize
216KB

Download
memory/3068-140-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3068-139-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3068-138-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/3068-137-0x00000000060D0000-0x00000000060F2000-memory.dmp

Filesize
136KB

Download
memory/3068-136-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download