a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a

Analysis

max time kernel
170s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
Size

652KB
MD5

6f3a1629c1e04c51b66eb63887f22e70
SHA1

fad3f8da060b92a81f9cfdeb2a6b0d7ed1a64067
SHA256

a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a
SHA512

4e3dea7c6d0f1933ba965d2925223aae2bb2a727fa3a653e3d1c1cf7af41dc8af56dafc8169484750f128217404b1b633bfd95e6fa33ef7e2baa460fee3ba5b8
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4572	tyomgyg.exe
5088	~DFA23C.tmp
4416	judaahg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA23C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe
4416	judaahg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	~DFA23C.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4572	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	82
PID 4896 wrote to memory of 4572	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	82
PID 4896 wrote to memory of 4572	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	82
PID 4572 wrote to memory of 5088	4572	tyomgyg.exe	83
PID 4572 wrote to memory of 5088	4572	tyomgyg.exe	83
PID 4572 wrote to memory of 5088	4572	tyomgyg.exe	83
PID 4896 wrote to memory of 1372	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	84
PID 4896 wrote to memory of 1372	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	84
PID 4896 wrote to memory of 1372	4896	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	84
PID 5088 wrote to memory of 4416	5088	~DFA23C.tmp	88
PID 5088 wrote to memory of 4416	5088	~DFA23C.tmp	88
PID 5088 wrote to memory of 4416	5088	~DFA23C.tmp	88

C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
"C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\tyomgyg.exe
  C:\Users\Admin\AppData\Local\Temp\tyomgyg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\judaahg.exe
      "C:\Users\Admin\AppData\Local\Temp\judaahg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a3afb3a72a76309fdb7b5edfbf8174bd

SHA1
14c989e990b45ccbffb11842c1b01f7794796109

SHA256
6a25d4cd25b72dc540940112509ec579167c59d46eb3b6b5050659c21d9e5db2

SHA512
8e2c01e83f05f3af185cc142ac9a029beda69a2923b4505058cb840d12ec15047cdf4ced409fb61e23816c32e4c40704eae1bfe43b0cf9af8fc7c10fdcf41a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
cb7a63ba1fb678dff4f24c90cd155c6d

SHA1
a9efc7b03d5147c44c209fe4af22352e1d23f8fd

SHA256
6b046d408e70a19996da0a1a345ae6117f9f10cd3251855d5400831614f11947

SHA512
0783a66552e5dd453746c9f0699e8ea456649110d319bd6e1be508703f3208f429b17654d943242f147e065cc24cbde6e8f398ee53f7bc6b403988d3291e5143

Download Submit
C:\Users\Admin\AppData\Local\Temp\judaahg.exe

Filesize
377KB

MD5
88a4fe20e95a3d6651cdd3eec16ff5b8

SHA1
b8f74b66c82b581d3accb72c60fd10dff4fad51a

SHA256
78f736e8f19ca3a5e424ad9bcb8542e8df50b54705dcfb3af206fd8ff39a68f4

SHA512
1a54bdd7f7a42599608d3f774a668b9db36914e569e73db31397cf3a402fe668ae139151248acc28fdcb265d8d4836b4034a8620196d2a061c4c4462992e4e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\judaahg.exe

Filesize
377KB

MD5
88a4fe20e95a3d6651cdd3eec16ff5b8

SHA1
b8f74b66c82b581d3accb72c60fd10dff4fad51a

SHA256
78f736e8f19ca3a5e424ad9bcb8542e8df50b54705dcfb3af206fd8ff39a68f4

SHA512
1a54bdd7f7a42599608d3f774a668b9db36914e569e73db31397cf3a402fe668ae139151248acc28fdcb265d8d4836b4034a8620196d2a061c4c4462992e4e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyomgyg.exe

Filesize
653KB

MD5
a981e77a765080903061632671b0836f

SHA1
0016573c120f73c3091112c2efa8715503f6f5cf

SHA256
889a9ef524eafd773a850697ca88117d9a41345c882183428d893b2780256180

SHA512
bd35acedd4f7b2a1bc2fd4a6d586980866bd7cc358041ddbc87be9fd5c93fbca0053d7bdae029a9e644485170b49233544af05ff3ff8b12bbbc00c04450dc957

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyomgyg.exe

Filesize
653KB

MD5
a981e77a765080903061632671b0836f

SHA1
0016573c120f73c3091112c2efa8715503f6f5cf

SHA256
889a9ef524eafd773a850697ca88117d9a41345c882183428d893b2780256180

SHA512
bd35acedd4f7b2a1bc2fd4a6d586980866bd7cc358041ddbc87be9fd5c93fbca0053d7bdae029a9e644485170b49233544af05ff3ff8b12bbbc00c04450dc957

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp

Filesize
655KB

MD5
318c2dccde072a40444f8dc9d56b8ddb

SHA1
f96de99f76a8f27c9a4cf7ff5c60833372e89ec5

SHA256
51b2b3b26329e742fd3f5ec5e4613c7045d4f135e26d33c934ec8377691600e3

SHA512
0d461cabf77c1a084169200b8b326f532265f15370233507eb40e6cdb25f16d5abdf40cd89eee3f9c5be6c8e57c618f4483f41f0633371e68500fb4912505d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp

Filesize
655KB

MD5
318c2dccde072a40444f8dc9d56b8ddb

SHA1
f96de99f76a8f27c9a4cf7ff5c60833372e89ec5

SHA256
51b2b3b26329e742fd3f5ec5e4613c7045d4f135e26d33c934ec8377691600e3

SHA512
0d461cabf77c1a084169200b8b326f532265f15370233507eb40e6cdb25f16d5abdf40cd89eee3f9c5be6c8e57c618f4483f41f0633371e68500fb4912505d96

Download Submit
memory/4416-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4572-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4896-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4896-134-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5088-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download