bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe
Size

616KB
MD5

4351a7348bc2127542882896ba7b1b70
SHA1

362fa6b6a24c6cea8a8c070e37ca347df10d508e
SHA256

bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d
SHA512

58c69309dbe53aeff11e70943e6e3f049cb685844ee8b041f6adc30a2ef929f144ad755979c37dd775149e2011cb2f62cdab1c2958e9e85590056156bd7ed7d0
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4344	ebsumi.exe
4204	~DFA245.tmp
2908	mydyji.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA245.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe
2908	mydyji.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	~DFA245.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4344	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	83
PID 2208 wrote to memory of 4344	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	83
PID 2208 wrote to memory of 4344	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	83
PID 4344 wrote to memory of 4204	4344	ebsumi.exe	84
PID 4344 wrote to memory of 4204	4344	ebsumi.exe	84
PID 4344 wrote to memory of 4204	4344	ebsumi.exe	84
PID 2208 wrote to memory of 2508	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	85
PID 2208 wrote to memory of 2508	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	85
PID 2208 wrote to memory of 2508	2208	bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe	85
PID 4204 wrote to memory of 2908	4204	~DFA245.tmp	95
PID 4204 wrote to memory of 2908	4204	~DFA245.tmp	95
PID 4204 wrote to memory of 2908	4204	~DFA245.tmp	95

C:\Users\Admin\AppData\Local\Temp\bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe
"C:\Users\Admin\AppData\Local\Temp\bc87246fbeab89f418044d70c07244b012671b96433962a4e01cb7ce6517165d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\ebsumi.exe
  C:\Users\Admin\AppData\Local\Temp\ebsumi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\mydyji.exe
      "C:\Users\Admin\AppData\Local\Temp\mydyji.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
f059c28f87b4f1d351d1f79f02b3cf0a

SHA1
c0f7479f674211b2fece40d66f5b424272b252c2

SHA256
55e6ebf674fa307638bfacdee23c5c20d1e81a888bc0179abda1a3fac4161b55

SHA512
dba6757cab5b9c534497c1be1fe17626a25258c59563be534845cfd1ad3428ab87cc04293f5f4116fc49db9f4cf1c657df578ab842090de7121aebf96e591f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebsumi.exe

Filesize
616KB

MD5
ce99d6f6de470c833d034471195df1af

SHA1
f1f5d6683669e1f3f7e12be3f8d6435a4fac26a6

SHA256
247914f1a3f3aa7b91edb37ab7180e7d85989c87568ff426d84ce80cc3448693

SHA512
9ed73b616658af37f76bb0a2256ff7d9b06bea05669dade4545ffd801454812aac5be1a745e512f4c2258ad0f244f6174250b63d6e0e68039290bccfb84cb39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebsumi.exe

Filesize
616KB

MD5
ce99d6f6de470c833d034471195df1af

SHA1
f1f5d6683669e1f3f7e12be3f8d6435a4fac26a6

SHA256
247914f1a3f3aa7b91edb37ab7180e7d85989c87568ff426d84ce80cc3448693

SHA512
9ed73b616658af37f76bb0a2256ff7d9b06bea05669dade4545ffd801454812aac5be1a745e512f4c2258ad0f244f6174250b63d6e0e68039290bccfb84cb39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1f2e731057a5df4f7cd06b8383f3ca5a

SHA1
91cbc50983250792cff39b018a8fa4442cc54d8e

SHA256
f56c415489f354ace6c6cf0885789cb33e5d159a3ea468aaccbafe61bf262455

SHA512
63771bd61f90cc5be58700fc6dc2bb3417c913388a045f6f4afa59f2a711efc44a1dffb092cbc2867f59fcf8fd9b2786d80cf8df2086550c45ad86762fc913a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mydyji.exe

Filesize
393KB

MD5
7fc127660f256b7f83df0cb89401be43

SHA1
4aad00a9829f3c2b9ed9d239941f8dc0de15301f

SHA256
0bec8b12e514d24ffb4a9598856951f701ecd8316fa077b6a3793d36eaae7be6

SHA512
95294516cca3fef7e2c80f36548e4483997d5e4006bfda1d116f9e0047d8ea770c4e011d00ccea4fe24657fe5a59f75e0bf495bfc003ad039a2fec2df1f35dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mydyji.exe

Filesize
393KB

MD5
7fc127660f256b7f83df0cb89401be43

SHA1
4aad00a9829f3c2b9ed9d239941f8dc0de15301f

SHA256
0bec8b12e514d24ffb4a9598856951f701ecd8316fa077b6a3793d36eaae7be6

SHA512
95294516cca3fef7e2c80f36548e4483997d5e4006bfda1d116f9e0047d8ea770c4e011d00ccea4fe24657fe5a59f75e0bf495bfc003ad039a2fec2df1f35dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp

Filesize
618KB

MD5
524defd57140ced3e81623df9123aaf6

SHA1
53910dfcb542b49d1f9cdbecea22c625715d5d24

SHA256
f7884825427e3ec3cf4eed3b536035c4c3fc881d1dabffac3adde2d9143cc5fe

SHA512
64a2501fb13934b78f171f0e66b755fc7ca3821b05e35ff7f03fab438b12041901664060857dbccadeedd6294cbdeceaa9bf468a6a00066be92c370b3197a53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp

Filesize
618KB

MD5
524defd57140ced3e81623df9123aaf6

SHA1
53910dfcb542b49d1f9cdbecea22c625715d5d24

SHA256
f7884825427e3ec3cf4eed3b536035c4c3fc881d1dabffac3adde2d9143cc5fe

SHA512
64a2501fb13934b78f171f0e66b755fc7ca3821b05e35ff7f03fab438b12041901664060857dbccadeedd6294cbdeceaa9bf468a6a00066be92c370b3197a53d

Download Submit
memory/2208-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2208-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2908-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2908-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4204-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4204-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download