5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38

Analysis

max time kernel
157s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
Size

653KB
MD5

6f037d17c6329d9588780ec79f8e9340
SHA1

449dce3cb321e3a47b54265830b833e5625f37a1
SHA256

5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38
SHA512

f195bb8962bda57898f6801e9071d8659d2bad8af22642e8b946072f6442ab05eee8c08d88f99a013e9ca28d96c233f0ecbe0a5b30e7e653a1f35de511eccf2d
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5096	widaivm.exe
4328	~DFA24D.tmp
4376	ydjaqy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA24D.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe
4376	ydjaqy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	~DFA24D.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 5096	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	82
PID 4840 wrote to memory of 5096	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	82
PID 4840 wrote to memory of 5096	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	82
PID 5096 wrote to memory of 4328	5096	widaivm.exe	83
PID 5096 wrote to memory of 4328	5096	widaivm.exe	83
PID 5096 wrote to memory of 4328	5096	widaivm.exe	83
PID 4840 wrote to memory of 1852	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	84
PID 4840 wrote to memory of 1852	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	84
PID 4840 wrote to memory of 1852	4840	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	84
PID 4328 wrote to memory of 4376	4328	~DFA24D.tmp	93
PID 4328 wrote to memory of 4376	4328	~DFA24D.tmp	93
PID 4328 wrote to memory of 4376	4328	~DFA24D.tmp	93

C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
"C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\widaivm.exe
  C:\Users\Admin\AppData\Local\Temp\widaivm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\~DFA24D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24D.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\ydjaqy.exe
      "C:\Users\Admin\AppData\Local\Temp\ydjaqy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
727a8a11bbc13b55c31696ee7f03c54e

SHA1
f316e869e5c89d5801294fc1b61d1380edf498f1

SHA256
ed86410b977699bedcae441373ed5a9a71740c624028fb9414299f4019fe212e

SHA512
cac20385509df1989397048c94f419b752ad594ceafbb8320ec12c64dc2655a39ec236d74a639ac6c97037c8381854e0c83b69692eb2b1f67dd38de27eee7512

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
518c52edef9483aea53ea71fdcee6913

SHA1
ea2aa88d49b6d3c99d8d241709e59d6cbeb4b060

SHA256
6a76245e36fba7f176d99de94b2b94e51d478550f41034c02bcc4e62d4539207

SHA512
3a58d8df2746995afbe82ec575e7afa2ea72ffcd980ede92acbce34db176ff813465650083b6ee67209d1a5422f305664f190dd7982f74ec758fa7685a3bba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\widaivm.exe

Filesize
659KB

MD5
122df7f6f6a3b806454363f661fb931e

SHA1
f44d239cf9ac7843874584c57131178b19f70983

SHA256
57435f79e28da8b68172566d505c56f158c5bba61315ae9d5fda8ece6949e7a7

SHA512
79c4da866486c0d2a5fceb7d4b42db52f36f65a607a70e52154f277e68405381a9a336bbeba51442caad2f2ea0fc376d5e58eb2d8fd5c8f3147ef21a07a0e819

Download Submit
C:\Users\Admin\AppData\Local\Temp\widaivm.exe

Filesize
659KB

MD5
122df7f6f6a3b806454363f661fb931e

SHA1
f44d239cf9ac7843874584c57131178b19f70983

SHA256
57435f79e28da8b68172566d505c56f158c5bba61315ae9d5fda8ece6949e7a7

SHA512
79c4da866486c0d2a5fceb7d4b42db52f36f65a607a70e52154f277e68405381a9a336bbeba51442caad2f2ea0fc376d5e58eb2d8fd5c8f3147ef21a07a0e819

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydjaqy.exe

Filesize
384KB

MD5
209e684bd84cb24ff60c8bf6f2e98507

SHA1
21a342b73fd8a1de7cac4e43a4131cb8cb89dcf7

SHA256
bca230a220b568be7abedba8e9046925d0e821ea682714469f8543e44a47f0c2

SHA512
4a396c6e71acb4c1cb909639364248c7c58f5eec29d43f85a96c8c0d83ed1ef6f42189d65e955be9f6dc5bc6efa81133d8ee0778db7a782a8b08c325e6571a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydjaqy.exe

Filesize
384KB

MD5
209e684bd84cb24ff60c8bf6f2e98507

SHA1
21a342b73fd8a1de7cac4e43a4131cb8cb89dcf7

SHA256
bca230a220b568be7abedba8e9046925d0e821ea682714469f8543e44a47f0c2

SHA512
4a396c6e71acb4c1cb909639364248c7c58f5eec29d43f85a96c8c0d83ed1ef6f42189d65e955be9f6dc5bc6efa81133d8ee0778db7a782a8b08c325e6571a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24D.tmp

Filesize
668KB

MD5
d0bf33ad506e76a1a97c9eec0c25b373

SHA1
93a26bb438cb50ec5ff1946beab15dc5bdeab4c0

SHA256
0cc0c4c1afc17690d17fd8460dec6a4b8eddad0f312e12c558579c72417f4f79

SHA512
190d74afe7a9c1ba65d890b1323311252bac24c98e2e39be4b58ab9cc09c5c932cb98c53b02eb61ab27818cdfa696f060e638dd2432428a913814bb4b4c59966

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24D.tmp

Filesize
668KB

MD5
d0bf33ad506e76a1a97c9eec0c25b373

SHA1
93a26bb438cb50ec5ff1946beab15dc5bdeab4c0

SHA256
0cc0c4c1afc17690d17fd8460dec6a4b8eddad0f312e12c558579c72417f4f79

SHA512
190d74afe7a9c1ba65d890b1323311252bac24c98e2e39be4b58ab9cc09c5c932cb98c53b02eb61ab27818cdfa696f060e638dd2432428a913814bb4b4c59966

Download Submit
memory/4328-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4376-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4376-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4840-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4840-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4840-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5096-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5096-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download