cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1

Analysis

max time kernel
156s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
Size

625KB
MD5

77249eebf06217f1974fadc23b733be0
SHA1

bb3f6b169bba129f0e2e3ceb29b539ad75c76bba
SHA256

cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1
SHA512

df8bb8c382dacf3f129fbdf0637388ab1f795edb89c6dde2b5aa154a149f54349e611b93a1cb0ea9f34762f8549e0bbb11e3f722c95f243aa23512c61cf950c8
SSDEEP

12288:W5hAPjPHr/wiPkEr89Eogw4VoH4cjnoteFlLD1AVs3Gb5oVjcD:WgLr4w9beH4enIeLFAVwGV4S

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4352	renifys.exe
4908	~DFA240.tmp
692	leokgys.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA240.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe
692	leokgys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	~DFA240.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 4352	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	81
PID 1292 wrote to memory of 4352	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	81
PID 1292 wrote to memory of 4352	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	81
PID 4352 wrote to memory of 4908	4352	renifys.exe	82
PID 4352 wrote to memory of 4908	4352	renifys.exe	82
PID 4352 wrote to memory of 4908	4352	renifys.exe	82
PID 1292 wrote to memory of 4596	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	83
PID 1292 wrote to memory of 4596	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	83
PID 1292 wrote to memory of 4596	1292	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	83
PID 4908 wrote to memory of 692	4908	~DFA240.tmp	87
PID 4908 wrote to memory of 692	4908	~DFA240.tmp	87
PID 4908 wrote to memory of 692	4908	~DFA240.tmp	87

C:\Users\Admin\AppData\Local\Temp\cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
"C:\Users\Admin\AppData\Local\Temp\cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\renifys.exe
  C:\Users\Admin\AppData\Local\Temp\renifys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\leokgys.exe
      "C:\Users\Admin\AppData\Local\Temp\leokgys.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c80c69cb54d7c3af2299c8588604088a

SHA1
3d312a8c8e33aaddb907647bf5d21f71c60b83ff

SHA256
664c0437a20a96a51967ecd7d7781142837f56825882213776d00c7c907c206f

SHA512
1fce5a2bcbdff7eb5eccd644cd59a03ce80431fc2ec364697af5a96a1beb5a82c7a09afe64936f586f79fff47a70da28ac0f9ab9c654556fdfd80d8c0013d6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
144abdff13108eb9d578edf455bc46a4

SHA1
e29e4462139d8eb50530b07197cd3d202188d496

SHA256
67ab10126ff2c76e05d7b057676eb572379d8be15075f6c9fc6069516e560836

SHA512
edf24db588b46f88cc32c16b2c54f0a0987f5976676a001c1c9c9200682eb8c935db527dda7952fc40a8b8813f8a6a211b90c51226356ff9fb34f8dff351b18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\leokgys.exe

Filesize
422KB

MD5
43c42b87daf8c5e8997f04b8e045cf71

SHA1
e92d5c53f90c1e3554ad3fc0a66e6b117bb67517

SHA256
58a43a757a1681723496357c8d8c24c7a4f3b84d5c20bbfb71ae22b0bf026ca9

SHA512
e246d50fbabc1c044513aedc1c8eabcfd3f8bbbb7449972996de9b391878ff6b4f5f4cd1e85c36cbaa715620b139bfe5fb62e634cee50f64cce9a48d9d3cc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\leokgys.exe

Filesize
422KB

MD5
43c42b87daf8c5e8997f04b8e045cf71

SHA1
e92d5c53f90c1e3554ad3fc0a66e6b117bb67517

SHA256
58a43a757a1681723496357c8d8c24c7a4f3b84d5c20bbfb71ae22b0bf026ca9

SHA512
e246d50fbabc1c044513aedc1c8eabcfd3f8bbbb7449972996de9b391878ff6b4f5f4cd1e85c36cbaa715620b139bfe5fb62e634cee50f64cce9a48d9d3cc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\renifys.exe

Filesize
632KB

MD5
caa705a75702accd63953ea78ded62ab

SHA1
47d22e2e9065aaf861044837911f5a07e74ad164

SHA256
cccf9ef00a3bcc175f643b242c323a28b058d56ba9e363cac29ffb25974a1820

SHA512
5c86c97d4cbae8d6959c8134b69f8505ac011ceeb1be1f8582766208c9300ec8ab928101c490d6951044ef5bf7fa6e32e05e95fb221db7ff1d52f482580cdae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\renifys.exe

Filesize
632KB

MD5
caa705a75702accd63953ea78ded62ab

SHA1
47d22e2e9065aaf861044837911f5a07e74ad164

SHA256
cccf9ef00a3bcc175f643b242c323a28b058d56ba9e363cac29ffb25974a1820

SHA512
5c86c97d4cbae8d6959c8134b69f8505ac011ceeb1be1f8582766208c9300ec8ab928101c490d6951044ef5bf7fa6e32e05e95fb221db7ff1d52f482580cdae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp

Filesize
638KB

MD5
089d2aa4e784f6a75c397cf841aa777f

SHA1
91278603a61a0dd0d1f38524d4397ac0a81b2e5c

SHA256
c39925eefcb213448f147c8003c9b2374ac15a366a23f7d5daaff0002f1daadd

SHA512
88bbca5e57c379aaa5ac013b7c74ebf452a4be130b737f35706375a18769c2501426bfcb3fd9ef851d66adfc68c9e7165a3436a6d61df77cd762f3f02c99f818

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp

Filesize
638KB

MD5
089d2aa4e784f6a75c397cf841aa777f

SHA1
91278603a61a0dd0d1f38524d4397ac0a81b2e5c

SHA256
c39925eefcb213448f147c8003c9b2374ac15a366a23f7d5daaff0002f1daadd

SHA512
88bbca5e57c379aaa5ac013b7c74ebf452a4be130b737f35706375a18769c2501426bfcb3fd9ef851d66adfc68c9e7165a3436a6d61df77cd762f3f02c99f818

Download Submit
memory/692-149-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/692-151-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1292-143-0x0000000000130000-0x0000000000201000-memory.dmp

Filesize
836KB

Download
memory/1292-132-0x0000000000130000-0x0000000000201000-memory.dmp

Filesize
836KB

Download
memory/4352-140-0x00000000009B0000-0x0000000000A81000-memory.dmp

Filesize
836KB

Download
memory/4908-141-0x00000000009F0000-0x0000000000AC1000-memory.dmp

Filesize
836KB

Download
memory/4908-150-0x00000000009F0000-0x0000000000AC1000-memory.dmp

Filesize
836KB

Download