f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc

Analysis

max time kernel
190s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
Size

668KB
MD5

439959a920e04f2db59b7fe2dd3ef430
SHA1

561e0630ea09a5f45f46d8abc4f422ad2dcd6fa7
SHA256

f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc
SHA512

45cf7794c24864c749592f9060b1c4539eb8051747e2042dc2532ad9fc23c71a88a382cae90599a01e73dbeb8630b02508f1355bb5b8fb474b30cf4dd8d7f13d
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2436	suevlok.exe
2604	~DFA258.tmp
804	jievodq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA258.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe
804	jievodq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	~DFA258.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2436	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	82
PID 924 wrote to memory of 2436	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	82
PID 924 wrote to memory of 2436	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	82
PID 924 wrote to memory of 3928	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	83
PID 924 wrote to memory of 3928	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	83
PID 924 wrote to memory of 3928	924	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	83
PID 2436 wrote to memory of 2604	2436	suevlok.exe	85
PID 2436 wrote to memory of 2604	2436	suevlok.exe	85
PID 2436 wrote to memory of 2604	2436	suevlok.exe	85
PID 2604 wrote to memory of 804	2604	~DFA258.tmp	86
PID 2604 wrote to memory of 804	2604	~DFA258.tmp	86
PID 2604 wrote to memory of 804	2604	~DFA258.tmp	86

C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
"C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\suevlok.exe
  C:\Users\Admin\AppData\Local\Temp\suevlok.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\~DFA258.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA258.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\jievodq.exe
      "C:\Users\Admin\AppData\Local\Temp\jievodq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
ba746eebdf87399d423652b62980562e

SHA1
c4243f204c08a721f67f0aaa10d64db3f453a31a

SHA256
7e10bc53e0e95051dab23667763f74b386654d915f23753861092b8383c13572

SHA512
8a1b3e682b6000e0f31905fea4bb145efe81e358e432629c37ce8db088a5c096631ada4625fd3fdde75db491d737c3c1ca0a3b6edd058f2e11a5e7a1ebcb6a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
408074c79e97f2d2fce3c4689f1dc83f

SHA1
f1accfe4335d5ea6185bb5a803475e845cbe809e

SHA256
6e818f34f0c3168bc80fad1ec7e71ca4b518fb1ac725cae118c188518f453fe9

SHA512
a66882f913e96a9c9e945ee3b47f388850ebf67abe920b2850b4b201c728809a039b3a343ac70e1b1171eebaf4b24ee5acd01e5c272509351e212252d834c181

Download Submit
C:\Users\Admin\AppData\Local\Temp\jievodq.exe

Filesize
390KB

MD5
5eeb835f2dafa3a92a9a78cca9a2666f

SHA1
e1dfcda1418c3910f773c02f6db0b729f8862ba8

SHA256
93ad37ab9206c36946f3fe80c283469c8e8edb6357e5364ad9eb595673a193e7

SHA512
43f1d262bb4f8088d3c3b9ff39e3431c3ac74dbb5a6d30e93c3c70dd4c6255eea4c66ba501a39f07b9c204cc3a6cdea0eccf7cea64e3713bf5941ae7b4b12334

Download Submit
C:\Users\Admin\AppData\Local\Temp\jievodq.exe

Filesize
390KB

MD5
5eeb835f2dafa3a92a9a78cca9a2666f

SHA1
e1dfcda1418c3910f773c02f6db0b729f8862ba8

SHA256
93ad37ab9206c36946f3fe80c283469c8e8edb6357e5364ad9eb595673a193e7

SHA512
43f1d262bb4f8088d3c3b9ff39e3431c3ac74dbb5a6d30e93c3c70dd4c6255eea4c66ba501a39f07b9c204cc3a6cdea0eccf7cea64e3713bf5941ae7b4b12334

Download Submit
C:\Users\Admin\AppData\Local\Temp\suevlok.exe

Filesize
677KB

MD5
8c459c1b3ec960dd4301797af931706b

SHA1
6ba6e542fe5435f9b4596614995971e045e5caac

SHA256
aacd8324b1525b76a93ce571eefeae57aa0a104990a0af577981f244327f2c4e

SHA512
19dcba070ad4600403355479914f7bb61ad65ff603f06f43f829fd7588363ed4cac1b19bfc325a91599f2150e5b549696f1aa7ba2ac53c87e0a86fe316196e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suevlok.exe

Filesize
677KB

MD5
8c459c1b3ec960dd4301797af931706b

SHA1
6ba6e542fe5435f9b4596614995971e045e5caac

SHA256
aacd8324b1525b76a93ce571eefeae57aa0a104990a0af577981f244327f2c4e

SHA512
19dcba070ad4600403355479914f7bb61ad65ff603f06f43f829fd7588363ed4cac1b19bfc325a91599f2150e5b549696f1aa7ba2ac53c87e0a86fe316196e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA258.tmp

Filesize
678KB

MD5
9934c63965c1221cd439e22445d9ea30

SHA1
ccde92a5bc8d65ed2d51a48c75c5285d21176d3d

SHA256
8d0e9bee8217ff2f8ec8aeef850dd696a0fcd63a19cafe7955bc6af99c5921f7

SHA512
594d7067e93aee6a53515137130c00e8b3cee0304a6a6315f4d8196db571d79a5fdc230bf16674cc79747844d2640895571eafd00a002bcba9a12ad877655298

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA258.tmp

Filesize
678KB

MD5
9934c63965c1221cd439e22445d9ea30

SHA1
ccde92a5bc8d65ed2d51a48c75c5285d21176d3d

SHA256
8d0e9bee8217ff2f8ec8aeef850dd696a0fcd63a19cafe7955bc6af99c5921f7

SHA512
594d7067e93aee6a53515137130c00e8b3cee0304a6a6315f4d8196db571d79a5fdc230bf16674cc79747844d2640895571eafd00a002bcba9a12ad877655298

Download Submit
memory/804-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/924-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/924-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2436-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2436-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2604-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2604-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download