Analysis
-
max time kernel
170s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 10:49
Static task
static1
Behavioral task
behavioral1
Sample
a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
Resource
win10v2004-20220812-en
General
-
Target
a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
-
Size
652KB
-
MD5
6f3a1629c1e04c51b66eb63887f22e70
-
SHA1
fad3f8da060b92a81f9cfdeb2a6b0d7ed1a64067
-
SHA256
a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a
-
SHA512
4e3dea7c6d0f1933ba965d2925223aae2bb2a727fa3a653e3d1c1cf7af41dc8af56dafc8169484750f128217404b1b633bfd95e6fa33ef7e2baa460fee3ba5b8
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4572 tyomgyg.exe 5088 ~DFA23C.tmp 4416 judaahg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ~DFA23C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe 4416 judaahg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5088 ~DFA23C.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4572 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 82 PID 4896 wrote to memory of 4572 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 82 PID 4896 wrote to memory of 4572 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 82 PID 4572 wrote to memory of 5088 4572 tyomgyg.exe 83 PID 4572 wrote to memory of 5088 4572 tyomgyg.exe 83 PID 4572 wrote to memory of 5088 4572 tyomgyg.exe 83 PID 4896 wrote to memory of 1372 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 84 PID 4896 wrote to memory of 1372 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 84 PID 4896 wrote to memory of 1372 4896 a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe 84 PID 5088 wrote to memory of 4416 5088 ~DFA23C.tmp 88 PID 5088 wrote to memory of 4416 5088 ~DFA23C.tmp 88 PID 5088 wrote to memory of 4416 5088 ~DFA23C.tmp 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe"C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\tyomgyg.exeC:\Users\Admin\AppData\Local\Temp\tyomgyg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmpC:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\judaahg.exe"C:\Users\Admin\AppData\Local\Temp\judaahg.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4416
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:1372
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5a3afb3a72a76309fdb7b5edfbf8174bd
SHA114c989e990b45ccbffb11842c1b01f7794796109
SHA2566a25d4cd25b72dc540940112509ec579167c59d46eb3b6b5050659c21d9e5db2
SHA5128e2c01e83f05f3af185cc142ac9a029beda69a2923b4505058cb840d12ec15047cdf4ced409fb61e23816c32e4c40704eae1bfe43b0cf9af8fc7c10fdcf41a18
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5cb7a63ba1fb678dff4f24c90cd155c6d
SHA1a9efc7b03d5147c44c209fe4af22352e1d23f8fd
SHA2566b046d408e70a19996da0a1a345ae6117f9f10cd3251855d5400831614f11947
SHA5120783a66552e5dd453746c9f0699e8ea456649110d319bd6e1be508703f3208f429b17654d943242f147e065cc24cbde6e8f398ee53f7bc6b403988d3291e5143
-
Filesize
377KB
MD588a4fe20e95a3d6651cdd3eec16ff5b8
SHA1b8f74b66c82b581d3accb72c60fd10dff4fad51a
SHA25678f736e8f19ca3a5e424ad9bcb8542e8df50b54705dcfb3af206fd8ff39a68f4
SHA5121a54bdd7f7a42599608d3f774a668b9db36914e569e73db31397cf3a402fe668ae139151248acc28fdcb265d8d4836b4034a8620196d2a061c4c4462992e4e4c
-
Filesize
377KB
MD588a4fe20e95a3d6651cdd3eec16ff5b8
SHA1b8f74b66c82b581d3accb72c60fd10dff4fad51a
SHA25678f736e8f19ca3a5e424ad9bcb8542e8df50b54705dcfb3af206fd8ff39a68f4
SHA5121a54bdd7f7a42599608d3f774a668b9db36914e569e73db31397cf3a402fe668ae139151248acc28fdcb265d8d4836b4034a8620196d2a061c4c4462992e4e4c
-
Filesize
653KB
MD5a981e77a765080903061632671b0836f
SHA10016573c120f73c3091112c2efa8715503f6f5cf
SHA256889a9ef524eafd773a850697ca88117d9a41345c882183428d893b2780256180
SHA512bd35acedd4f7b2a1bc2fd4a6d586980866bd7cc358041ddbc87be9fd5c93fbca0053d7bdae029a9e644485170b49233544af05ff3ff8b12bbbc00c04450dc957
-
Filesize
653KB
MD5a981e77a765080903061632671b0836f
SHA10016573c120f73c3091112c2efa8715503f6f5cf
SHA256889a9ef524eafd773a850697ca88117d9a41345c882183428d893b2780256180
SHA512bd35acedd4f7b2a1bc2fd4a6d586980866bd7cc358041ddbc87be9fd5c93fbca0053d7bdae029a9e644485170b49233544af05ff3ff8b12bbbc00c04450dc957
-
Filesize
655KB
MD5318c2dccde072a40444f8dc9d56b8ddb
SHA1f96de99f76a8f27c9a4cf7ff5c60833372e89ec5
SHA25651b2b3b26329e742fd3f5ec5e4613c7045d4f135e26d33c934ec8377691600e3
SHA5120d461cabf77c1a084169200b8b326f532265f15370233507eb40e6cdb25f16d5abdf40cd89eee3f9c5be6c8e57c618f4483f41f0633371e68500fb4912505d96
-
Filesize
655KB
MD5318c2dccde072a40444f8dc9d56b8ddb
SHA1f96de99f76a8f27c9a4cf7ff5c60833372e89ec5
SHA25651b2b3b26329e742fd3f5ec5e4613c7045d4f135e26d33c934ec8377691600e3
SHA5120d461cabf77c1a084169200b8b326f532265f15370233507eb40e6cdb25f16d5abdf40cd89eee3f9c5be6c8e57c618f4483f41f0633371e68500fb4912505d96