dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889

Analysis

max time kernel
172s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
Size

648KB
MD5

6ff0b369bec9860c453265df4ce19d50
SHA1

beaac1b2427f610c99136f379b776f9c0224f9b3
SHA256

dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889
SHA512

c01220d0a81f6e4d8c04516285d02e731df9b13356df224c3358c4981e86c74fc37a1dfa0a89c64db46a6d2da7bb17f3cb805506858642e4733f9f14b0f124ac
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3436	reesnuy.exe
3668	~DFA23C.tmp
1888	fovetoy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA23C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe
1888	fovetoy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	~DFA23C.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3436	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	83
PID 1276 wrote to memory of 3436	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	83
PID 1276 wrote to memory of 3436	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	83
PID 3436 wrote to memory of 3668	3436	reesnuy.exe	84
PID 3436 wrote to memory of 3668	3436	reesnuy.exe	84
PID 3436 wrote to memory of 3668	3436	reesnuy.exe	84
PID 1276 wrote to memory of 808	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	86
PID 1276 wrote to memory of 808	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	86
PID 1276 wrote to memory of 808	1276	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	86
PID 3668 wrote to memory of 1888	3668	~DFA23C.tmp	88
PID 3668 wrote to memory of 1888	3668	~DFA23C.tmp	88
PID 3668 wrote to memory of 1888	3668	~DFA23C.tmp	88

C:\Users\Admin\AppData\Local\Temp\dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
"C:\Users\Admin\AppData\Local\Temp\dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\reesnuy.exe
  C:\Users\Admin\AppData\Local\Temp\reesnuy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\fovetoy.exe
      "C:\Users\Admin\AppData\Local\Temp\fovetoy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
238823a9fab0e2ac77cf5c5ef4621de9

SHA1
2ddbc7cc4a324eab9131bfdb809b625c65bbe632

SHA256
53528b70be12a27b051b5317fbdf34db20d36fdd6b83a0b458e6f4d097110683

SHA512
a7eb1f851450cd25751478aea279b970831f5ca267efe16ef5f6dc092259950f8f288cd7d8a78f19bfa61a53c10463c0ba770b4463d288292aaa9b20902d4807

Download Submit
C:\Users\Admin\AppData\Local\Temp\fovetoy.exe

Filesize
389KB

MD5
5c7cc9640dec460170355900666b6327

SHA1
36fbb0e8d6f73abc4115977946d7f4aa96556016

SHA256
ec0c333d02abeea1f6855af709909a2e14d306fc6d4f99f6e1ed17e9cf27c1a2

SHA512
7049117d8b537382c8185b051fab98a35bc30bb6d9fc79ff19e6cd859f542f5f6ab441592e9db463430d72ad961986bf562ee2e2598897c52a5165daba995979

Download Submit
C:\Users\Admin\AppData\Local\Temp\fovetoy.exe

Filesize
389KB

MD5
5c7cc9640dec460170355900666b6327

SHA1
36fbb0e8d6f73abc4115977946d7f4aa96556016

SHA256
ec0c333d02abeea1f6855af709909a2e14d306fc6d4f99f6e1ed17e9cf27c1a2

SHA512
7049117d8b537382c8185b051fab98a35bc30bb6d9fc79ff19e6cd859f542f5f6ab441592e9db463430d72ad961986bf562ee2e2598897c52a5165daba995979

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
252a745d1944beae5b54d9c7500fd8fc

SHA1
35cd904ed9734d6676f649345a93931dea90a431

SHA256
c86cb42f66f0909adc77b22522cf3967a22077150715bb54e60029c9a122b157

SHA512
7edcd41b7763f3ebddb5790997dc885bfe7e21c15cce2ee4c30d6633f46a7e6649c5f3a9c92442120d83a326016b1bf0ac842cb1a879b4ef4c8f358174534256

Download Submit
C:\Users\Admin\AppData\Local\Temp\reesnuy.exe

Filesize
650KB

MD5
4d3947c3f1b4907d895fd9c8f522fdc6

SHA1
69e5a55c9abcf07a81b91fb7b3e00bab2775b1f9

SHA256
a0fca821ff79e8b4b32301db0cd89134a66cbb0515778dde7567d2bfaeab6ada

SHA512
dbd3c0bdf49714942f05598deac8f7e4a640e4c5bd771bf3a677af1e13d9e1cdce2b8762af5a85ff18c69e066de44e8840259a3c673aa48bc23e2aa3152545c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\reesnuy.exe

Filesize
650KB

MD5
4d3947c3f1b4907d895fd9c8f522fdc6

SHA1
69e5a55c9abcf07a81b91fb7b3e00bab2775b1f9

SHA256
a0fca821ff79e8b4b32301db0cd89134a66cbb0515778dde7567d2bfaeab6ada

SHA512
dbd3c0bdf49714942f05598deac8f7e4a640e4c5bd771bf3a677af1e13d9e1cdce2b8762af5a85ff18c69e066de44e8840259a3c673aa48bc23e2aa3152545c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp

Filesize
653KB

MD5
01e2a18e5b6028f2789120437ff1f257

SHA1
0d8ac719ee5144a3219f719631bfe2b83a0bbf25

SHA256
6300a5ae16e2597ff8109c307a98f5fd3eb20d289099774c406e2be7028ae82e

SHA512
1a611588a24bb82e1a2f9d81b33d8686ce23e177d1121620dc1b3021daf07a1b91cc3847ae67ec945683c2411897f18a9493bc6751dc55403fa30b03d107357c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23C.tmp

Filesize
653KB

MD5
01e2a18e5b6028f2789120437ff1f257

SHA1
0d8ac719ee5144a3219f719631bfe2b83a0bbf25

SHA256
6300a5ae16e2597ff8109c307a98f5fd3eb20d289099774c406e2be7028ae82e

SHA512
1a611588a24bb82e1a2f9d81b33d8686ce23e177d1121620dc1b3021daf07a1b91cc3847ae67ec945683c2411897f18a9493bc6751dc55403fa30b03d107357c

Download Submit
memory/1276-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1276-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1888-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3436-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3668-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download