845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86

Analysis

max time kernel
178s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
Size

639KB
MD5

685a6b8a04d3e87f4eddda5da93d18c0
SHA1

fe8569ae5f5cef12e275731d86db519a6b9583c7
SHA256

845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86
SHA512

3814ba0d754ce25136c6a0e79c4f386436b71ee4a48e751a11958d9997d81cf8878887d4bc6ceb531f9b60491cbfc520c789ac31d22331b11610793ac6b30ea5
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3120	cesyju.exe
4916	~DFA24B.tmp
2328	ebizm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA24B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe
2328	ebizm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	~DFA24B.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 3120	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	83
PID 4712 wrote to memory of 3120	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	83
PID 4712 wrote to memory of 3120	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	83
PID 3120 wrote to memory of 4916	3120	cesyju.exe	84
PID 3120 wrote to memory of 4916	3120	cesyju.exe	84
PID 3120 wrote to memory of 4916	3120	cesyju.exe	84
PID 4712 wrote to memory of 4648	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	85
PID 4712 wrote to memory of 4648	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	85
PID 4712 wrote to memory of 4648	4712	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	85
PID 4916 wrote to memory of 2328	4916	~DFA24B.tmp	87
PID 4916 wrote to memory of 2328	4916	~DFA24B.tmp	87
PID 4916 wrote to memory of 2328	4916	~DFA24B.tmp	87

C:\Users\Admin\AppData\Local\Temp\845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
"C:\Users\Admin\AppData\Local\Temp\845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\cesyju.exe
  C:\Users\Admin\AppData\Local\Temp\cesyju.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\~DFA24B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24B.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\ebizm.exe
      "C:\Users\Admin\AppData\Local\Temp\ebizm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c12564052b8e2a7a6bb05c7ae08784e1

SHA1
c94a0eccd819e73003959cf20033fcd277b8ab58

SHA256
e626df762ef8399b25ddd2ec59b49c26ef5bc78a9d89c6bc2ef7c0c1371d20a1

SHA512
ec1e320e6c332da430f5bb0e0a84d94ab3b5e7a32b06e0216cc98283a56f79f899a97df4cf88967a927068a22ab9b72bd0a3503ba7c782d867b68cbd21e7594d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cesyju.exe

Filesize
645KB

MD5
6f612925db64c68c0447042f4b360870

SHA1
57f454b1fedae79c5c1494791d5442bf5d2cbff6

SHA256
469d1281ad69b6f4fa3de284bcaf8ce6763c76395e1bcfd8eeb41a37a511df15

SHA512
bec1c1f23b405f5fed8d59ec60839215b9a33eb8e6ecf88ea3392328d82518f1526b9083f1dfcab697490be1cfb9d5305fd56285cddeb95bfc70240929a6f4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cesyju.exe

Filesize
645KB

MD5
6f612925db64c68c0447042f4b360870

SHA1
57f454b1fedae79c5c1494791d5442bf5d2cbff6

SHA256
469d1281ad69b6f4fa3de284bcaf8ce6763c76395e1bcfd8eeb41a37a511df15

SHA512
bec1c1f23b405f5fed8d59ec60839215b9a33eb8e6ecf88ea3392328d82518f1526b9083f1dfcab697490be1cfb9d5305fd56285cddeb95bfc70240929a6f4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebizm.exe

Filesize
397KB

MD5
321f651e250fdcbf4ecd3ac5dc257fdf

SHA1
6120593ffbe1a5231ad996989f0df59b672c03d4

SHA256
c0a8a6ee96e0a3cb36df3ed2482425354be96ce3c50cb1a74d4d6982e13c6344

SHA512
44bec52834ba7f44f0d995a5c33fe44ea70eded99a25aaa23ae9b9909bca491828ef6804bafe9f34dedb7d68b3bd57e9f963cef8169d177cba69259213f372fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebizm.exe

Filesize
397KB

MD5
321f651e250fdcbf4ecd3ac5dc257fdf

SHA1
6120593ffbe1a5231ad996989f0df59b672c03d4

SHA256
c0a8a6ee96e0a3cb36df3ed2482425354be96ce3c50cb1a74d4d6982e13c6344

SHA512
44bec52834ba7f44f0d995a5c33fe44ea70eded99a25aaa23ae9b9909bca491828ef6804bafe9f34dedb7d68b3bd57e9f963cef8169d177cba69259213f372fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
5279475c4bc265e6c0b66112b1189de2

SHA1
3ee08433dc82c9657aab7ce9dcc4d540a61ec9ff

SHA256
253ed57407d963542c9391c533bb20e5c24b9af9f8ad80dd0e7bcd24471fe313

SHA512
c58e87f734e502c6ff8a657cece2e69bb61a1b37b6ea78171a030012789c97192eedd724d7fe250651eb61ec51b37797f1bf937bda0a0b91beb88957c35a21ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24B.tmp

Filesize
652KB

MD5
41321e9da8b0d615378023f699896157

SHA1
1e42e72b6dfac605e0fcce44c033ea1d5cd2f2ee

SHA256
ec6fe0e15e707fc2b0d01fa57a4c7c1602c8b9c12a9a6732b63bedf3abef2126

SHA512
b7c4c6f1a3657297d470b8e7d2e6eee87fb66f2c4a00fef9e31977cbbb6d314bdd62ad73369fd438c80f82592092188387f65d0abfe662c0b0514d57adb9d880

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24B.tmp

Filesize
652KB

MD5
41321e9da8b0d615378023f699896157

SHA1
1e42e72b6dfac605e0fcce44c033ea1d5cd2f2ee

SHA256
ec6fe0e15e707fc2b0d01fa57a4c7c1602c8b9c12a9a6732b63bedf3abef2126

SHA512
b7c4c6f1a3657297d470b8e7d2e6eee87fb66f2c4a00fef9e31977cbbb6d314bdd62ad73369fd438c80f82592092188387f65d0abfe662c0b0514d57adb9d880

Download Submit
memory/2328-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2328-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3120-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4712-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4712-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4916-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download