Analysis
-
max time kernel
176s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
Resource
win10v2004-20220812-en
General
-
Target
bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
-
Size
633KB
-
MD5
793f06cbfa215701eaf0f13e84fbdf10
-
SHA1
81a18ec22a465ee53eae08c8868cf0c6e321097e
-
SHA256
bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d
-
SHA512
fa82b1ac15e9a92a019639c0b06a6185f8b232fb70744c358fbc8688ff5c8b4d0adf2d6df7e7d14cce8931e6574506772c6eca45f1ab4ba9e8bc3d0030a21bed
-
SSDEEP
12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4924 ykxujoi.exe 4792 ~DFA24F.tmp 3616 seawgop.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ~DFA24F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe 3616 seawgop.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4792 ~DFA24F.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4924 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 82 PID 2976 wrote to memory of 4924 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 82 PID 2976 wrote to memory of 4924 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 82 PID 4924 wrote to memory of 4792 4924 ykxujoi.exe 84 PID 4924 wrote to memory of 4792 4924 ykxujoi.exe 84 PID 4924 wrote to memory of 4792 4924 ykxujoi.exe 84 PID 2976 wrote to memory of 4100 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 85 PID 2976 wrote to memory of 4100 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 85 PID 2976 wrote to memory of 4100 2976 bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe 85 PID 4792 wrote to memory of 3616 4792 ~DFA24F.tmp 92 PID 4792 wrote to memory of 3616 4792 ~DFA24F.tmp 92 PID 4792 wrote to memory of 3616 4792 ~DFA24F.tmp 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe"C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\ykxujoi.exeC:\Users\Admin\AppData\Local\Temp\ykxujoi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\~DFA24F.tmpC:\Users\Admin\AppData\Local\Temp\~DFA24F.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\seawgop.exe"C:\Users\Admin\AppData\Local\Temp\seawgop.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:4100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5e715c2f46e592d5960b1638094c5854f
SHA1fda4b0d334a5256ddbfe1efb6f6af5535982db84
SHA256fef7d05136dc9c54d52f755eea3204f3c73083d55169b4ac613b4e65faffb8e0
SHA5123edf0467dd67bfbf79695db57212f13c9d47070e0ba256097b8588ca96f6eaa70bae111035ad1c042b74436c1d7eec33abc5d7a9deff58056a97fbdb791c17c0
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5fc8140590a00eac275ee66e371824f87
SHA11ce77203a4eaf6cbaa2fc0e9a23c184e263cd8e9
SHA2568bd900ea99cc0b8d05088f06738782b17ac53fb31ba79af6267e87001c56b400
SHA512fc19772b87e7bf095c154934d0f1ede688fa162f5453492c7a4bb74db5a7f5c1082bb12f5cacdc4c61faee338a6ef49ee2579a7d2d8ddfd467ea7e63ebd889fa
-
Filesize
417KB
MD5c71998b106644323ff2b05ec54632b11
SHA18597276a469dc565ea3c904ec81a65952c8f3b56
SHA2568476519468ae6c9d0109600fcb15291c5e64383e1fa70bcf934300fe0f034e35
SHA5127e2799355ce8474da45c860f724c9882e1dc3d8ce6dba496e46e49276d5303e546f9b4484a53ef19a7f8e7d63e504759adbaa9e59f696692e20614c882c971cb
-
Filesize
417KB
MD5c71998b106644323ff2b05ec54632b11
SHA18597276a469dc565ea3c904ec81a65952c8f3b56
SHA2568476519468ae6c9d0109600fcb15291c5e64383e1fa70bcf934300fe0f034e35
SHA5127e2799355ce8474da45c860f724c9882e1dc3d8ce6dba496e46e49276d5303e546f9b4484a53ef19a7f8e7d63e504759adbaa9e59f696692e20614c882c971cb
-
Filesize
638KB
MD594d44a4487b10be6a4b4d6d6f779003b
SHA107b4a6f72844bc4716053ba5c35011f8029f5083
SHA256c9d7cc87d92f5ce1fd59dac69f56cf45881ad3c62ef3a1944737e2c3f351a80e
SHA5121de05f07b1ce31f7832d73b1e91e685ad38b7aec4ca40a02eb5071631e4467d94b650ee7147b138bc15a142f844035fc1d50f53afafb28fbfa173aa2e6b1773b
-
Filesize
638KB
MD594d44a4487b10be6a4b4d6d6f779003b
SHA107b4a6f72844bc4716053ba5c35011f8029f5083
SHA256c9d7cc87d92f5ce1fd59dac69f56cf45881ad3c62ef3a1944737e2c3f351a80e
SHA5121de05f07b1ce31f7832d73b1e91e685ad38b7aec4ca40a02eb5071631e4467d94b650ee7147b138bc15a142f844035fc1d50f53afafb28fbfa173aa2e6b1773b
-
Filesize
640KB
MD55e299285d384d0c016df6ceec7a0824a
SHA11ede0515bfe3d02f8e413b7bb52b9648f57d65ab
SHA256a9b0484eead37a48c28c8a10cbbdada11deb898aab3ab87e81973f3b2951a76c
SHA512684ba20790f53a2527f897af08a21b4d61532b6ac49fe431e44089654d2e63d3b2e3c63271f3b879dcc96f53b7d2d9d370b41e11e5c6d9178818eff9079044fa
-
Filesize
640KB
MD55e299285d384d0c016df6ceec7a0824a
SHA11ede0515bfe3d02f8e413b7bb52b9648f57d65ab
SHA256a9b0484eead37a48c28c8a10cbbdada11deb898aab3ab87e81973f3b2951a76c
SHA512684ba20790f53a2527f897af08a21b4d61532b6ac49fe431e44089654d2e63d3b2e3c63271f3b879dcc96f53b7d2d9d370b41e11e5c6d9178818eff9079044fa