19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720

Analysis

max time kernel
153s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
Size

697KB
MD5

7c322be974e8deb64b30fc7bc7c92cb8
SHA1

66d61d7b978fecfd28808b2c0632a0a3ad365600
SHA256

19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720
SHA512

b5859ae72285bc7d8c55026d5f340b713dc40e74d3754a7a16ae6863f49aa524d728c1551fcc1e8cf39a463b83b8f2f22466eacd52d69138c21109eecdaba868
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4792	axcajof.exe
1280	~DFA248.tmp
2136	yqsolof.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA248.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe
2136	yqsolof.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	~DFA248.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4792	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	82
PID 4912 wrote to memory of 4792	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	82
PID 4912 wrote to memory of 4792	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	82
PID 4792 wrote to memory of 1280	4792	axcajof.exe	83
PID 4792 wrote to memory of 1280	4792	axcajof.exe	83
PID 4792 wrote to memory of 1280	4792	axcajof.exe	83
PID 4912 wrote to memory of 3180	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	84
PID 4912 wrote to memory of 3180	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	84
PID 4912 wrote to memory of 3180	4912	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	84
PID 1280 wrote to memory of 2136	1280	~DFA248.tmp	93
PID 1280 wrote to memory of 2136	1280	~DFA248.tmp	93
PID 1280 wrote to memory of 2136	1280	~DFA248.tmp	93

C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
"C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\axcajof.exe
  C:\Users\Admin\AppData\Local\Temp\axcajof.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\yqsolof.exe
      "C:\Users\Admin\AppData\Local\Temp\yqsolof.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
40d89701cd9b30db06bc65ae857adc81

SHA1
e29e4a7d27d039b1c637ccc1cc7755fe6c9983d5

SHA256
19d5c0bbf595e06e01b0fbf6f80d4bbd41fa969623bd1396b8ce6eb1c534ea82

SHA512
c23e7049743094fc300fccbb9abc3ffbb8ae593fd817e38fe77f27696dd055582e8d2e503617994bee1cf394fdc05b302fa86dab89bbfe223afc71256e6d8787

Download Submit
C:\Users\Admin\AppData\Local\Temp\axcajof.exe

Filesize
700KB

MD5
e718348248eb35015e0cd8f93e8d7f08

SHA1
fa28049e6e1248ff8311c2a7605ed79c363af540

SHA256
ce76619fd636193d13b020ec1d03c4340d38b8990d130aa3b5c5699d590da0c1

SHA512
432a4a83f5b0833d0c75d163796b3ec7fa16cc52b369b26252ffb48c3f995ecc21bfdd197a16dc1f043f5b27173652af4e6be6737d7ea3f12c2df24839bb9548

Download Submit
C:\Users\Admin\AppData\Local\Temp\axcajof.exe

Filesize
700KB

MD5
e718348248eb35015e0cd8f93e8d7f08

SHA1
fa28049e6e1248ff8311c2a7605ed79c363af540

SHA256
ce76619fd636193d13b020ec1d03c4340d38b8990d130aa3b5c5699d590da0c1

SHA512
432a4a83f5b0833d0c75d163796b3ec7fa16cc52b369b26252ffb48c3f995ecc21bfdd197a16dc1f043f5b27173652af4e6be6737d7ea3f12c2df24839bb9548

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
edd21c306cb2a7fb94c1fa13a28570c4

SHA1
cd51539a79008775588b89c3546feb532390f490

SHA256
9950170b1c1d8c68bd6e9c8e145890993a5787f0996e02922d87551b44a65bb9

SHA512
753721206731f18b83ac2e8f92b979c509168192c1992eba8a320f881f4b2c6d3f997e2c13a214f650a3a36f0a80720b3cf9d055961c68daa9fb15f2aa2eb644

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqsolof.exe

Filesize
382KB

MD5
573462fe47461e1ab7101539a328550a

SHA1
06e9f925066e66ae9d8d8ec1f15b85dfdb59a999

SHA256
e1b858496fd58695944007eea7de3a909f5b9d4a69652bce2fbc265b8b328ddf

SHA512
bdd5699d915181f676741df182956829598483446a3b856b0b7bb247c0379ceb2ace4b1009d512198d26cf6c47f1ca6a4bddce488ddad894701e187f1e320e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqsolof.exe

Filesize
382KB

MD5
573462fe47461e1ab7101539a328550a

SHA1
06e9f925066e66ae9d8d8ec1f15b85dfdb59a999

SHA256
e1b858496fd58695944007eea7de3a909f5b9d4a69652bce2fbc265b8b328ddf

SHA512
bdd5699d915181f676741df182956829598483446a3b856b0b7bb247c0379ceb2ace4b1009d512198d26cf6c47f1ca6a4bddce488ddad894701e187f1e320e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
704KB

MD5
a46a9f915fe3bcf76073af1103b6a1bf

SHA1
4ffdca3990e5eca9f03bce7dfc4534b891f59ccf

SHA256
5d41d854733b5375269afa56eee5cc21586bb1dfe829185b96accd61c7b20f58

SHA512
c4f03be808c591dfad0a5e549eea7fc3bcdb73cf156411da9826da0f7d9ec65f335d9508656cf06bd0cbd2ee8d6fc054222bd0077a9a4da56c03ca076b8d3199

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
704KB

MD5
a46a9f915fe3bcf76073af1103b6a1bf

SHA1
4ffdca3990e5eca9f03bce7dfc4534b891f59ccf

SHA256
5d41d854733b5375269afa56eee5cc21586bb1dfe829185b96accd61c7b20f58

SHA512
c4f03be808c591dfad0a5e549eea7fc3bcdb73cf156411da9826da0f7d9ec65f335d9508656cf06bd0cbd2ee8d6fc054222bd0077a9a4da56c03ca076b8d3199

Download Submit
memory/1280-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2136-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2136-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4792-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4792-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4912-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4912-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4912-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download