cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5

Analysis

max time kernel
152s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe
Size

655KB
MD5

10cb54ca9f9e46e0eb2cb70ad372b3c0
SHA1

f08c0bd4ebe13144738a7a5b0501b9159707575f
SHA256

cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5
SHA512

ae7c4e48535a9daff266fde17c564c4140f8af0c22049fe05a269b6cc5f6664e46f6acb0051a21abfdd8e7700da033f8b1e6630f816b5da61668deeefbf5fc1c
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2544	ojmuxu.exe
4688	~DFA236.tmp
4288	hoafwe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA236.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe
4288	hoafwe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	~DFA236.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2544	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	79
PID 952 wrote to memory of 2544	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	79
PID 952 wrote to memory of 2544	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	79
PID 2544 wrote to memory of 4688	2544	ojmuxu.exe	80
PID 2544 wrote to memory of 4688	2544	ojmuxu.exe	80
PID 2544 wrote to memory of 4688	2544	ojmuxu.exe	80
PID 952 wrote to memory of 228	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	81
PID 952 wrote to memory of 228	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	81
PID 952 wrote to memory of 228	952	cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe	81
PID 4688 wrote to memory of 4288	4688	~DFA236.tmp	89
PID 4688 wrote to memory of 4288	4688	~DFA236.tmp	89
PID 4688 wrote to memory of 4288	4688	~DFA236.tmp	89

C:\Users\Admin\AppData\Local\Temp\cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe
"C:\Users\Admin\AppData\Local\Temp\cae79bfdef2217c6525484ddb8f8ab38ff0508b98e9d8b0ef3da5f78051c21b5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\ojmuxu.exe
  C:\Users\Admin\AppData\Local\Temp\ojmuxu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\hoafwe.exe
      "C:\Users\Admin\AppData\Local\Temp\hoafwe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
b8b88900a2bfbed4a020453895b5997b

SHA1
761856da475c935b7bd6ba56b9550559f5759b44

SHA256
0b2234d7b0d99b5889de37449c6659f06718bc59a6d4af4f391913a5469f38d6

SHA512
17dc1cf920dc0c4e79d2e6a6497f64be40775af4981d0964e7daf79f608e458a12e7543561f4e3cd14c6b4efc43d6f1ea88fa284c3c03cbfa49f2f6807cb153b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1556f584abcf01e14733d0ac1584533a

SHA1
0769241d9ac2dfa713cda63d190fab4f20a767ed

SHA256
8237f0673e6e4382fbfb561a5d8d6319435f8b1b3750a3f12a2dd8a2c8a0c313

SHA512
a472c8321d7bed10c283a3db5b8b07c2e465a3040d8fb080cd73650b3b9e18904c10fa59ee492266d6603d5bbe68a4140101df11c79492fb9bed0c52413acf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoafwe.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoafwe.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmuxu.exe

Filesize
660KB

MD5
e5b46c24862627a1d0880c52cf538ddc

SHA1
6e7270989caec8be6c8c25efc53e5ff933df7208

SHA256
ef7b13bec7d808bb2c4478f27d90ec2c6d61bda1c9a272692c6a9f70139d3b66

SHA512
eedbe5e985cee05da02aa35541669f171f9c309b6fdae9a5eb923cc59e6eb6dd6d70b40a54631b15aa542695a2845dbe673140494d6657f42352e47e73c99be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmuxu.exe

Filesize
660KB

MD5
e5b46c24862627a1d0880c52cf538ddc

SHA1
6e7270989caec8be6c8c25efc53e5ff933df7208

SHA256
ef7b13bec7d808bb2c4478f27d90ec2c6d61bda1c9a272692c6a9f70139d3b66

SHA512
eedbe5e985cee05da02aa35541669f171f9c309b6fdae9a5eb923cc59e6eb6dd6d70b40a54631b15aa542695a2845dbe673140494d6657f42352e47e73c99be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
667KB

MD5
67906d93c3d17acc18ad178c25b40e1f

SHA1
49fb40b3e64a8769dded7023b2367fe3ffa13d18

SHA256
76d352e091c70da5a2db910ce65577d39d5466680645e224b2f672ceac6b6bb2

SHA512
7300fd8326f28f4127bf4c78dfaf1cb54b5aba7710fcb6523deaf2ff396fbba44b31bbd727e1de6918e93e9cdc591379a6334807e3dca860cd89a628cedbc06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
667KB

MD5
67906d93c3d17acc18ad178c25b40e1f

SHA1
49fb40b3e64a8769dded7023b2367fe3ffa13d18

SHA256
76d352e091c70da5a2db910ce65577d39d5466680645e224b2f672ceac6b6bb2

SHA512
7300fd8326f28f4127bf4c78dfaf1cb54b5aba7710fcb6523deaf2ff396fbba44b31bbd727e1de6918e93e9cdc591379a6334807e3dca860cd89a628cedbc06b

Download Submit
memory/952-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/952-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2544-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2544-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4288-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4688-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download