951c96faf86b41a91c2a5e1eafe8b94e1bec28653d194e5320c4385a36cfae5a

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

6.7MB
MD5

23d9a8cf15fe71598614e769e409c3df
SHA1

b5b397f733c4acf378cf707c60db9488b38ce5a8
SHA256

5a68fb28c84d3c0850006e6d6355075d99049adf5c939afba3c945bad7be673c
SHA512

1b48ade8a793d4cdcd93b343175c1cc822ed3298c8293393edc702033b15e9fe9385967ca7fda33279dfa2790c59c9dad3c2181ed31a3f1fedaca4fd6f06e64f
SSDEEP

98304:lc+kjotiAzy6lfxocFW2kTBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA64TRRs:cjOpzhrt9kTVHJack+YlGlSRRs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe

Executes dropped EXE 2 IoCs

pid	Process
4008	Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe
4424	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	javaw.exe
1800	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1800	1704	Setup.exe	82
PID 1704 wrote to memory of 1800	1704	Setup.exe	82
PID 1704 wrote to memory of 1800	1704	Setup.exe	82
PID 1800 wrote to memory of 3264	1800	javaw.exe	90
PID 1800 wrote to memory of 3264	1800	javaw.exe	90
PID 1800 wrote to memory of 3264	1800	javaw.exe	90
PID 4168 wrote to memory of 4008	4168	explorer.exe	92
PID 4168 wrote to memory of 4008	4168	explorer.exe	92
PID 4168 wrote to memory of 4008	4168	explorer.exe	92
PID 4008 wrote to memory of 4424	4008	Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe	94
PID 4008 wrote to memory of 4424	4008	Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe	94
PID 4008 wrote to memory of 4424	4008	Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe	94

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\Setup.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe
    3⤵
    PID:3264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Local\Temp\Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe
  "C:\Users\Admin\AppData\Local\Temp\Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:1112
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
154.7MB

MD5
2010d2c3cb1a127e7db143201c2eb9b8

SHA1
cd51c0b1457acb7d5cec4a76d4ff41463541e6dd

SHA256
64859e1b59756535e53b37d8d9b63b80d4014d3a0b16f9a439641283006fda7d

SHA512
ab6ac4602c5e86840ab820804b7291e4983e005734b87f94fa58cce707f20292dbf4e6ccc8161b1c9dbcde0a0d75e402e8ae343e2363bcd4164986b8c40d0a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
16.3MB

MD5
d002bd3f21421dd87ca8cb0794181d69

SHA1
8d88e8124ed99def8a0595d4a3c6f50d4c013b09

SHA256
fb2dd407c23ffd36cfaef9376fe776342bb54368506df14990c4d1be4ebe0927

SHA512
aee0040c412f8c7f4b5aa9650c8bbb09c4aed7f750cc39b79b9a3c880ad46132e3721ac680dee004544a2e73436662215abe557b3431f87e3928f2d635c3b2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
15.6MB

MD5
49b1992184141a10b2b96f4c07fbad28

SHA1
26eebee3dd97fbeeb388c85f9c3ab695183537e0

SHA256
0662ebdc6e0aca9f34461a441fb1b84d7c7b5daf31cb2839e2644e4df85df795

SHA512
0e9784a706d34c05e5769225e640394248c0077a1f1e0494de6daa6b6ab6bf8d9c0f2de6bb7239c4e2a39286cb91fdc0686aaf981e4f79902a2b2b7960ab7b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe

Filesize
1.6MB

MD5
916a9dbf2764445c174d5a470936d8fd

SHA1
6d37f682357800382b61115b01f4fcebd6862103

SHA256
7f9496b9c6d4d1571cea5969472dcf8a363ae0b728b55ee9fe83d57975627117

SHA512
9782e25b8a8bfd9fac7763c9e3af160b89eb7d74fddc9ef234c6f209e26a8c43812dd22ae054ca94aefc27ce39d4a8c2592058dbf433e410181f192e6da8ff59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nzg1YWM4MzJlZjhhNDYxNWQ5MTNiMTU1YzJmNWRiZGU.exe

Filesize
1.6MB

MD5
916a9dbf2764445c174d5a470936d8fd

SHA1
6d37f682357800382b61115b01f4fcebd6862103

SHA256
7f9496b9c6d4d1571cea5969472dcf8a363ae0b728b55ee9fe83d57975627117

SHA512
9782e25b8a8bfd9fac7763c9e3af160b89eb7d74fddc9ef234c6f209e26a8c43812dd22ae054ca94aefc27ce39d4a8c2592058dbf433e410181f192e6da8ff59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
997KB

MD5
43e651c15b6a352f30b64e13ef747334

SHA1
fb987832689f996252e742182e7d3a5f2256c2f9

SHA256
5f6ed3bf10af3dfc4ae0d33dd25585243baec24cae622b22545f7626050d618f

SHA512
78adfca7b128f6e4c4797a772cb67d469f763c5f55da3e032baa03a28b7f1ec6fa579c95655cee377bee359970224aa69d3c9b8951fbb46bf4e8f57483a37449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
997KB

MD5
43e651c15b6a352f30b64e13ef747334

SHA1
fb987832689f996252e742182e7d3a5f2256c2f9

SHA256
5f6ed3bf10af3dfc4ae0d33dd25585243baec24cae622b22545f7626050d618f

SHA512
78adfca7b128f6e4c4797a772cb67d469f763c5f55da3e032baa03a28b7f1ec6fa579c95655cee377bee359970224aa69d3c9b8951fbb46bf4e8f57483a37449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
997KB

MD5
43e651c15b6a352f30b64e13ef747334

SHA1
fb987832689f996252e742182e7d3a5f2256c2f9

SHA256
5f6ed3bf10af3dfc4ae0d33dd25585243baec24cae622b22545f7626050d618f

SHA512
78adfca7b128f6e4c4797a772cb67d469f763c5f55da3e032baa03a28b7f1ec6fa579c95655cee377bee359970224aa69d3c9b8951fbb46bf4e8f57483a37449

Download Submit
memory/1440-436-0x0000000000380000-0x000000000047E000-memory.dmp

Filesize
1016KB

Download
memory/1704-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1800-196-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-246-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-244-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-241-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-230-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-228-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-193-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-164-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1800-162-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download