c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84

Analysis

max time kernel
169s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe
Size

671KB
MD5

6d537427f6034e24ed5843b54110fb30
SHA1

78669f8ccd43394cca342f80be7f204febea52a9
SHA256

c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84
SHA512

dbcb64650b148ea45818be5947f3116ab5936c53dd80fb082939cbe4853d987514bf04f0f22e86a4f7791de97757a77f2a8bfefe9fe5602cded80984d71c1199
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4932	icbubah.exe
5116	~DFA23E.tmp
4124	xewoduh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA23E.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe
4124	xewoduh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	~DFA23E.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4932	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	82
PID 4668 wrote to memory of 4932	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	82
PID 4668 wrote to memory of 4932	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	82
PID 4932 wrote to memory of 5116	4932	icbubah.exe	83
PID 4932 wrote to memory of 5116	4932	icbubah.exe	83
PID 4932 wrote to memory of 5116	4932	icbubah.exe	83
PID 4668 wrote to memory of 684	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	85
PID 4668 wrote to memory of 684	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	85
PID 4668 wrote to memory of 684	4668	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	85
PID 5116 wrote to memory of 4124	5116	~DFA23E.tmp	92
PID 5116 wrote to memory of 4124	5116	~DFA23E.tmp	92
PID 5116 wrote to memory of 4124	5116	~DFA23E.tmp	92

C:\Users\Admin\AppData\Local\Temp\c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe
"C:\Users\Admin\AppData\Local\Temp\c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\icbubah.exe
  C:\Users\Admin\AppData\Local\Temp\icbubah.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\xewoduh.exe
      "C:\Users\Admin\AppData\Local\Temp\xewoduh.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
8026c8b31d429c9359ca5eb7efc59e42

SHA1
ae41b4321738f2ce318b5103386f1e33d513d462

SHA256
baafe23583b3738d66492675a3851ec55b4d5407f28670aa1d3ce29f7c15d1d5

SHA512
9e6a74cab0ea8ca853eba1647f6b92300b9f6c42f8ddc6c70b15afa56670245ca220ac000b58c49557e75d623c79759b86140f77cbc10756dccef099e658f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
df70a727d2180436f4c32d878ca5c776

SHA1
390228ed5e96167691717d571f2b45032b7258ce

SHA256
cb7da939c0125f6c5b59d679cffd29e8d63d06250c397d5b8ede19ceb0b9f330

SHA512
72256428071833ccae16d75a771685d083dd162791e729df61dc50bbb150717518e724fc3b6252cfdf0079c67e6d0092b32de7a229953c16adbfb18b2886809b

Download Submit
C:\Users\Admin\AppData\Local\Temp\icbubah.exe

Filesize
675KB

MD5
1f58d4d5a9bf4d78a09fd904bc814c94

SHA1
198d226f25c31a627fb37a532ba49e039629bf65

SHA256
c494f6cb22851b7a9d01f3c5c5bc7c62bad611309b08a2ecea838b8b28673f1d

SHA512
4cc3ba1133c69ca760bbf9f8d460a07d02a0fb30b16c6b8f48a5a180fcfae2fc87f19dc753ecbceee12de2e0d5b367df27fd041f047ab66070c5e39f64f8fcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\icbubah.exe

Filesize
675KB

MD5
1f58d4d5a9bf4d78a09fd904bc814c94

SHA1
198d226f25c31a627fb37a532ba49e039629bf65

SHA256
c494f6cb22851b7a9d01f3c5c5bc7c62bad611309b08a2ecea838b8b28673f1d

SHA512
4cc3ba1133c69ca760bbf9f8d460a07d02a0fb30b16c6b8f48a5a180fcfae2fc87f19dc753ecbceee12de2e0d5b367df27fd041f047ab66070c5e39f64f8fcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xewoduh.exe

Filesize
388KB

MD5
4cdb199473f72a0df484ddbb867ee37c

SHA1
a632494b923853e6802b41b95c79d2135f843176

SHA256
8e96b67d202dd1cbd1e27ec6094afae94001061b2791a39da49eb6344b7f0dc9

SHA512
40eee0cc563e6c3ebf7f3be5c5fb73cb13e31b19a622b2d782b718ad4828ae2c7cfda285e0d47b50ac1ad223732a7ff3712381432ff1c449508fd3306ebef804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xewoduh.exe

Filesize
388KB

MD5
4cdb199473f72a0df484ddbb867ee37c

SHA1
a632494b923853e6802b41b95c79d2135f843176

SHA256
8e96b67d202dd1cbd1e27ec6094afae94001061b2791a39da49eb6344b7f0dc9

SHA512
40eee0cc563e6c3ebf7f3be5c5fb73cb13e31b19a622b2d782b718ad4828ae2c7cfda285e0d47b50ac1ad223732a7ff3712381432ff1c449508fd3306ebef804

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp

Filesize
679KB

MD5
271ff546efe080e0e6be61375237a6ae

SHA1
c4d28d54a397651f64d669020444df6f1efa8f06

SHA256
2669d3d6c3c2d5872a2148601d29eba33c6be89b2a9ee978f3c82aaaf371ec2b

SHA512
bfd4b85240aeff49cb0a5103147f1d356486af4b068ca92e398f6f737a3787f0d1bd87916767dc31b9eb3ca904954832401c552b2b377fc2bbd2b624175a8ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp

Filesize
679KB

MD5
271ff546efe080e0e6be61375237a6ae

SHA1
c4d28d54a397651f64d669020444df6f1efa8f06

SHA256
2669d3d6c3c2d5872a2148601d29eba33c6be89b2a9ee978f3c82aaaf371ec2b

SHA512
bfd4b85240aeff49cb0a5103147f1d356486af4b068ca92e398f6f737a3787f0d1bd87916767dc31b9eb3ca904954832401c552b2b377fc2bbd2b624175a8ddf

Download Submit
memory/4124-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4668-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4668-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5116-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download