bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d

Analysis

max time kernel
176s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
Size

633KB
MD5

793f06cbfa215701eaf0f13e84fbdf10
SHA1

81a18ec22a465ee53eae08c8868cf0c6e321097e
SHA256

bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d
SHA512

fa82b1ac15e9a92a019639c0b06a6185f8b232fb70744c358fbc8688ff5c8b4d0adf2d6df7e7d14cce8931e6574506772c6eca45f1ab4ba9e8bc3d0030a21bed
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4924	ykxujoi.exe
4792	~DFA24F.tmp
3616	seawgop.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA24F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe
3616	seawgop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	~DFA24F.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4924	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	82
PID 2976 wrote to memory of 4924	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	82
PID 2976 wrote to memory of 4924	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	82
PID 4924 wrote to memory of 4792	4924	ykxujoi.exe	84
PID 4924 wrote to memory of 4792	4924	ykxujoi.exe	84
PID 4924 wrote to memory of 4792	4924	ykxujoi.exe	84
PID 2976 wrote to memory of 4100	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	85
PID 2976 wrote to memory of 4100	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	85
PID 2976 wrote to memory of 4100	2976	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	85
PID 4792 wrote to memory of 3616	4792	~DFA24F.tmp	92
PID 4792 wrote to memory of 3616	4792	~DFA24F.tmp	92
PID 4792 wrote to memory of 3616	4792	~DFA24F.tmp	92

C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
"C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ykxujoi.exe
  C:\Users\Admin\AppData\Local\Temp\ykxujoi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\~DFA24F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24F.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\seawgop.exe
      "C:\Users\Admin\AppData\Local\Temp\seawgop.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e715c2f46e592d5960b1638094c5854f

SHA1
fda4b0d334a5256ddbfe1efb6f6af5535982db84

SHA256
fef7d05136dc9c54d52f755eea3204f3c73083d55169b4ac613b4e65faffb8e0

SHA512
3edf0467dd67bfbf79695db57212f13c9d47070e0ba256097b8588ca96f6eaa70bae111035ad1c042b74436c1d7eec33abc5d7a9deff58056a97fbdb791c17c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
fc8140590a00eac275ee66e371824f87

SHA1
1ce77203a4eaf6cbaa2fc0e9a23c184e263cd8e9

SHA256
8bd900ea99cc0b8d05088f06738782b17ac53fb31ba79af6267e87001c56b400

SHA512
fc19772b87e7bf095c154934d0f1ede688fa162f5453492c7a4bb74db5a7f5c1082bb12f5cacdc4c61faee338a6ef49ee2579a7d2d8ddfd467ea7e63ebd889fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\seawgop.exe

Filesize
417KB

MD5
c71998b106644323ff2b05ec54632b11

SHA1
8597276a469dc565ea3c904ec81a65952c8f3b56

SHA256
8476519468ae6c9d0109600fcb15291c5e64383e1fa70bcf934300fe0f034e35

SHA512
7e2799355ce8474da45c860f724c9882e1dc3d8ce6dba496e46e49276d5303e546f9b4484a53ef19a7f8e7d63e504759adbaa9e59f696692e20614c882c971cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\seawgop.exe

Filesize
417KB

MD5
c71998b106644323ff2b05ec54632b11

SHA1
8597276a469dc565ea3c904ec81a65952c8f3b56

SHA256
8476519468ae6c9d0109600fcb15291c5e64383e1fa70bcf934300fe0f034e35

SHA512
7e2799355ce8474da45c860f724c9882e1dc3d8ce6dba496e46e49276d5303e546f9b4484a53ef19a7f8e7d63e504759adbaa9e59f696692e20614c882c971cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykxujoi.exe

Filesize
638KB

MD5
94d44a4487b10be6a4b4d6d6f779003b

SHA1
07b4a6f72844bc4716053ba5c35011f8029f5083

SHA256
c9d7cc87d92f5ce1fd59dac69f56cf45881ad3c62ef3a1944737e2c3f351a80e

SHA512
1de05f07b1ce31f7832d73b1e91e685ad38b7aec4ca40a02eb5071631e4467d94b650ee7147b138bc15a142f844035fc1d50f53afafb28fbfa173aa2e6b1773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykxujoi.exe

Filesize
638KB

MD5
94d44a4487b10be6a4b4d6d6f779003b

SHA1
07b4a6f72844bc4716053ba5c35011f8029f5083

SHA256
c9d7cc87d92f5ce1fd59dac69f56cf45881ad3c62ef3a1944737e2c3f351a80e

SHA512
1de05f07b1ce31f7832d73b1e91e685ad38b7aec4ca40a02eb5071631e4467d94b650ee7147b138bc15a142f844035fc1d50f53afafb28fbfa173aa2e6b1773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24F.tmp

Filesize
640KB

MD5
5e299285d384d0c016df6ceec7a0824a

SHA1
1ede0515bfe3d02f8e413b7bb52b9648f57d65ab

SHA256
a9b0484eead37a48c28c8a10cbbdada11deb898aab3ab87e81973f3b2951a76c

SHA512
684ba20790f53a2527f897af08a21b4d61532b6ac49fe431e44089654d2e63d3b2e3c63271f3b879dcc96f53b7d2d9d370b41e11e5c6d9178818eff9079044fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24F.tmp

Filesize
640KB

MD5
5e299285d384d0c016df6ceec7a0824a

SHA1
1ede0515bfe3d02f8e413b7bb52b9648f57d65ab

SHA256
a9b0484eead37a48c28c8a10cbbdada11deb898aab3ab87e81973f3b2951a76c

SHA512
684ba20790f53a2527f897af08a21b4d61532b6ac49fe431e44089654d2e63d3b2e3c63271f3b879dcc96f53b7d2d9d370b41e11e5c6d9178818eff9079044fa

Download Submit
memory/2976-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2976-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2976-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3616-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4792-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4792-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4924-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4924-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download