ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46

Analysis

max time kernel
174s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe
Size

636KB
MD5

6a3b5260aeb6f8d6c81ad13363c9eb90
SHA1

97242b6caf02699ab652ca02ac6f6d85737944b7
SHA256

ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46
SHA512

2deea6c761f20e1edab711ddc3f8d280c0cc6a7d1332625e9a18fbbb018760f422fc72eba52df375e9cc162375169fa83505ee6084eb199004b2e664cee27e6b
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4344	fyqumjg.exe
5100	~DFA245.tmp
1676	foovtjg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA245.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe
1676	foovtjg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	~DFA245.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4344	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	81
PID 3404 wrote to memory of 4344	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	81
PID 3404 wrote to memory of 4344	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	81
PID 4344 wrote to memory of 5100	4344	fyqumjg.exe	82
PID 4344 wrote to memory of 5100	4344	fyqumjg.exe	82
PID 4344 wrote to memory of 5100	4344	fyqumjg.exe	82
PID 3404 wrote to memory of 4984	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	83
PID 3404 wrote to memory of 4984	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	83
PID 3404 wrote to memory of 4984	3404	ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe	83
PID 5100 wrote to memory of 1676	5100	~DFA245.tmp	87
PID 5100 wrote to memory of 1676	5100	~DFA245.tmp	87
PID 5100 wrote to memory of 1676	5100	~DFA245.tmp	87

C:\Users\Admin\AppData\Local\Temp\ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe
"C:\Users\Admin\AppData\Local\Temp\ae2dfeac22b18bb3765a131efc58c506360bb7dc9aa3d371cd43259806298f46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\fyqumjg.exe
  C:\Users\Admin\AppData\Local\Temp\fyqumjg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\foovtjg.exe
      "C:\Users\Admin\AppData\Local\Temp\foovtjg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
464ce0686c66e2546987c3161930ba01

SHA1
9a045f5f4cd7f7140cc2145582358c1e815adbd6

SHA256
a1ca69b39f21b7bfda368038e7f9009efa7da152ff8f6965f8ade47b913e2b31

SHA512
f97cefcdbf6542868700420973d50af910c9415190c03a0a780aed085832375251d015764745f58b740fadb82d0baaac368520c31840f1156f9a70750c81c94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\foovtjg.exe

Filesize
388KB

MD5
f9ac5cfb2b6c3d4ea0d19c75c46c8c4f

SHA1
a7cd8c0f3d32d93ffb473ce310b50f3bb281b98f

SHA256
4af076718e925b1a5ba4c930d190e9092d4839c3496124829c143055bb33a279

SHA512
aa4fc496a4df94b8cc6d881aed572286bbd4e9e6d0ac6341456ba79e1f38c3ea779ddf1c26a5366554c8707b310c3ab800ff83b5a640fe3cae51b82a9b704eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\foovtjg.exe

Filesize
388KB

MD5
f9ac5cfb2b6c3d4ea0d19c75c46c8c4f

SHA1
a7cd8c0f3d32d93ffb473ce310b50f3bb281b98f

SHA256
4af076718e925b1a5ba4c930d190e9092d4839c3496124829c143055bb33a279

SHA512
aa4fc496a4df94b8cc6d881aed572286bbd4e9e6d0ac6341456ba79e1f38c3ea779ddf1c26a5366554c8707b310c3ab800ff83b5a640fe3cae51b82a9b704eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyqumjg.exe

Filesize
637KB

MD5
87c5b93cd5a29b55cfb07d9205a4f7db

SHA1
e835e1b028b1e05a7a3e8de64be1c504e9177765

SHA256
24b22328cac51edcd1acb390a7ffa68db278f04f073bae824b75501d9e1408fb

SHA512
9d75e34fd95130fa2763fec968285f79fcbd84935f64ecd124f7b27c5fed9325c7d0c59bbb7eb325698ae55689633759c67a211e23878fdbe8b91d5ca0301880

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyqumjg.exe

Filesize
637KB

MD5
87c5b93cd5a29b55cfb07d9205a4f7db

SHA1
e835e1b028b1e05a7a3e8de64be1c504e9177765

SHA256
24b22328cac51edcd1acb390a7ffa68db278f04f073bae824b75501d9e1408fb

SHA512
9d75e34fd95130fa2763fec968285f79fcbd84935f64ecd124f7b27c5fed9325c7d0c59bbb7eb325698ae55689633759c67a211e23878fdbe8b91d5ca0301880

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
f4d31de1a9a9173d7c2f1c23bd618047

SHA1
c4133fa69331b5fbd27f37f761c6343969373c58

SHA256
e6ff97052fccc2e09bed4f691b13ddd0cdcc16c35f8283c8dd12939ab4838a36

SHA512
e70a7dbe91b9c4d5b4eb477ffdde8078385efbf1ce5b4f4ecdd56a3a8618ccb6fe714beda22ef8133654c579dc220cfc0b47a716496d79bbc56c5b763938db67

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp

Filesize
639KB

MD5
0f8406cbecb8e0d8ff4dadd8b2a13672

SHA1
b60da4b7d1796bd5014bc99e139c1a6ea382f294

SHA256
2f450879669b2456a569e63147d7e7e2e7481485bb5fa40cbb99c0c1b29d02f3

SHA512
cf029bf403e2310796a3ac2f1d0cf9b9b266909982ca25ce049b31f1bb571133f6c106ef4fd19503558fda1b92e2edc6e12f4d88c6405e4ee29358f3725e51dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA245.tmp

Filesize
639KB

MD5
0f8406cbecb8e0d8ff4dadd8b2a13672

SHA1
b60da4b7d1796bd5014bc99e139c1a6ea382f294

SHA256
2f450879669b2456a569e63147d7e7e2e7481485bb5fa40cbb99c0c1b29d02f3

SHA512
cf029bf403e2310796a3ac2f1d0cf9b9b266909982ca25ce049b31f1bb571133f6c106ef4fd19503558fda1b92e2edc6e12f4d88c6405e4ee29358f3725e51dc

Download Submit
memory/1676-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1676-147-0x0000000000000000-mapping.dmp

Download
memory/1676-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3404-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3404-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-133-0x0000000000000000-mapping.dmp

Download
memory/4984-143-0x0000000000000000-mapping.dmp

Download
memory/5100-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5100-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5100-137-0x0000000000000000-mapping.dmp

Download