89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
Size

2.5MB
MD5

6e5a161828537db623b6a761f441f7a7
SHA1

d49d324aba6525926d4ce03ecb3793550a7ee46c
SHA256

89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c
SHA512

4653e8daa30b22083bc20a47d44ca44a4d86e1c4f3f6edf902a3cf9c67a578da24b5e8f6dc37043b73242e9c1c565d111972247d780fb84eab36d336536a7747
SSDEEP

49152:XFAOqOepGRO2ho8ir+6NJSD5QRQt9t8TmdRNm9Ok1QoWskYRRsanPEOc:XFALOW6LhoRJSNuQRVdRN0zWsfRRsaPM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Project.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	_config.exe

Executes dropped EXE 4 IoCs

pid	Process
460	Project.exe
4664	music.exe
4692	_config.exe
4296	_config.exe

Loads dropped DLL 1 IoCs

pid	Process
460	Project.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2484	4664	WerFault.exe	93

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	helppane.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2620	helppane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2620	helppane.exe
2620	helppane.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 460	3036	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	84
PID 3036 wrote to memory of 460	3036	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	84
PID 460 wrote to memory of 4664	460	Project.exe	93
PID 460 wrote to memory of 4664	460	Project.exe	93
PID 460 wrote to memory of 4664	460	Project.exe	93
PID 460 wrote to memory of 4692	460	Project.exe	94
PID 460 wrote to memory of 4692	460	Project.exe	94
PID 460 wrote to memory of 4692	460	Project.exe	94
PID 2620 wrote to memory of 4296	2620	helppane.exe	99
PID 2620 wrote to memory of 4296	2620	helppane.exe	99
PID 2620 wrote to memory of 4296	2620	helppane.exe	99
PID 4296 wrote to memory of 4400	4296	_config.exe	100
PID 4296 wrote to memory of 4400	4296	_config.exe	100
PID 4296 wrote to memory of 4400	4296	_config.exe	100

C:\Users\Admin\AppData\Local\Temp\89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
"C:\Users\Admin\AppData\Local\Temp\89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Roaming\7CEGIJLLPR\music.exe
    "C:\Users\Admin\AppData\Roaming\7CEGIJLLPR\music.exe"
    3⤵
    - Executes dropped EXE
    PID:4664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 540
      4⤵
      Program crash
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\_config.exe
    "C:\Users\Admin\AppData\Local\Temp\_config.exe"
    3⤵
    - Executes dropped EXE
    PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4664 -ip 4664
1⤵
PID:564

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\_config.exe
  "C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CEGIJLLPR" /f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CEGIJLLPR" /f
    3⤵
    PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK64.dll

Filesize
66KB

MD5
c3eeef64ff9dc524cc7c4203275ee722

SHA1
86ffc7bc5d1eb7e15efa61cb49afbdcbf6c8fa53

SHA256
48dc6c16ba5d372020eb7eab20933a8c4c93a4697038c6a2e0122a2a49c94258

SHA512
2898ed6efadcb0a83a74c6930cd47fc1a23f903eb44a1c9a9507dcd2792f02db1262ada9af6d8ebf2a89ef68ddc8dceb80788d859ba5ddab11b4110be547ad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK64.dll

Filesize
66KB

MD5
c3eeef64ff9dc524cc7c4203275ee722

SHA1
86ffc7bc5d1eb7e15efa61cb49afbdcbf6c8fa53

SHA256
48dc6c16ba5d372020eb7eab20933a8c4c93a4697038c6a2e0122a2a49c94258

SHA512
2898ed6efadcb0a83a74c6930cd47fc1a23f903eb44a1c9a9507dcd2792f02db1262ada9af6d8ebf2a89ef68ddc8dceb80788d859ba5ddab11b4110be547ad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.lnk

Filesize
2KB

MD5
45c067653d2c10289c347acb93cf0a6b

SHA1
74b65960e573c410374ac7eba32bd0b3dc0a8e73

SHA256
baa1df8323b379f59403a3f0abb8dbe121bc50164b9b7c58ce5b8b6c7d197af2

SHA512
18381fb0e6053c0df67841e97eb64c1f87589210f6414644ec29c449571d8cc2b0f1fe469a29aa2a32d5e7df5e5ceedd3d551b13c61af294d9d814876b7beeef

Download Submit
C:\Users\Admin\AppData\Roaming\7CEGIJLLPR\music.exe

Filesize
2.2MB

MD5
88eeb5ab6c8a2bf60b0fbb5a0269f358

SHA1
c6591df354f1b253fb880213f36ed90856a352df

SHA256
739cdc3ab3bba5f482b16aebeada8850d775ee53c1d7409f9a3c7d13a11824be

SHA512
cf2aa2adec3b67280bd24f1bc2a0ce825ee61f080f1adb61fb8c9e4a53bbad7196afc8a81bdbfc5ff362943521e8ca6285c52bea7094a190bba0f4dbeb6c969d

Download Submit
C:\Users\Admin\AppData\Roaming\7CEGIJLLPR\music.exe

Filesize
2.2MB

MD5
88eeb5ab6c8a2bf60b0fbb5a0269f358

SHA1
c6591df354f1b253fb880213f36ed90856a352df

SHA256
739cdc3ab3bba5f482b16aebeada8850d775ee53c1d7409f9a3c7d13a11824be

SHA512
cf2aa2adec3b67280bd24f1bc2a0ce825ee61f080f1adb61fb8c9e4a53bbad7196afc8a81bdbfc5ff362943521e8ca6285c52bea7094a190bba0f4dbeb6c969d

Download Submit
C:\Users\Admin\AppData\Roaming\7CEGIJLLPR\music.exe

Filesize
2.2MB

MD5
88eeb5ab6c8a2bf60b0fbb5a0269f358

SHA1
c6591df354f1b253fb880213f36ed90856a352df

SHA256
739cdc3ab3bba5f482b16aebeada8850d775ee53c1d7409f9a3c7d13a11824be

SHA512
cf2aa2adec3b67280bd24f1bc2a0ce825ee61f080f1adb61fb8c9e4a53bbad7196afc8a81bdbfc5ff362943521e8ca6285c52bea7094a190bba0f4dbeb6c969d

Download Submit
memory/460-150-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/460-2108-0x0000000000400000-0x0000000001045000-memory.dmp

Filesize
12.3MB

Download
memory/460-151-0x0000000000400000-0x0000000001045000-memory.dmp

Filesize
12.3MB

Download
memory/460-2113-0x0000000000400000-0x0000000001045000-memory.dmp

Filesize
12.3MB

Download
memory/2620-2114-0x000001FB29C20000-0x000001FB2B297000-memory.dmp

Filesize
22.5MB

Download
memory/4664-164-0x0000000075670000-0x0000000075885000-memory.dmp

Filesize
2.1MB

Download
memory/4664-2110-0x0000000000400000-0x0000000000792000-memory.dmp

Filesize
3.6MB

Download
memory/4664-163-0x0000000000400000-0x0000000000792000-memory.dmp

Filesize
3.6MB

Download