6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe
Size

650KB
MD5

659411118ba5c2fb7476c9c044ebddb0
SHA1

e35957e378597b6a5df18ea1fcc6bdb382b3239c
SHA256

6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b
SHA512

6bbcd1183fe90453d128482a1ed460eb3eb3051892212e1dae77945ac8400ed4c58c8ef972b408c92ea1b2b6d929a63e62395951a6be1b628c10506b0c7ec1f9
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1544	xyquiel.exe
4324	~DFA248.tmp
3948	rohikel.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA248.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe
3948	rohikel.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	~DFA248.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1544	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	80
PID 4996 wrote to memory of 1544	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	80
PID 4996 wrote to memory of 1544	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	80
PID 1544 wrote to memory of 4324	1544	xyquiel.exe	81
PID 1544 wrote to memory of 4324	1544	xyquiel.exe	81
PID 1544 wrote to memory of 4324	1544	xyquiel.exe	81
PID 4996 wrote to memory of 2284	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	82
PID 4996 wrote to memory of 2284	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	82
PID 4996 wrote to memory of 2284	4996	6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe	82
PID 4324 wrote to memory of 3948	4324	~DFA248.tmp	92
PID 4324 wrote to memory of 3948	4324	~DFA248.tmp	92
PID 4324 wrote to memory of 3948	4324	~DFA248.tmp	92

C:\Users\Admin\AppData\Local\Temp\6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe
"C:\Users\Admin\AppData\Local\Temp\6b7c4b49ee0450ff7413dde89036c9834c7d3e316c926e1477b94af2e846049b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\xyquiel.exe
  C:\Users\Admin\AppData\Local\Temp\xyquiel.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\rohikel.exe
      "C:\Users\Admin\AppData\Local\Temp\rohikel.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
77b240c2f510c2d6e8d2cea0ddabb51a

SHA1
dcc5b887d48ebae31bbdc69d90be17fe66806c2d

SHA256
369beaa108bae67ddafce795c577bdf0e6c56df4e656be73aa32db1a72954bcc

SHA512
66ab6aec1fd0951c30a2bfddba1fea05f70455c775adfcfac27c027454ea310829449500c24ac551d340ec1ba6252ab45d19394f5a0616e9a3d06bfe795db41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
c776c02063cc5246daf18f5a5024fb93

SHA1
e378e0b39c4f230198915dae199e6c7dc7fa092f

SHA256
29170efefd1620ebcb3264184b9c3ea819ac76d91fe5dc5cf1e2ba2d18038601

SHA512
b03c00e631311c5dd7cf14c221b542e14d6e4ab5b408ed9ffc41cee8cbca0c7a438dba24faa5a54a0db560e07b53a9df965fd6929658da651c560a1dd89899b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohikel.exe

Filesize
371KB

MD5
6d3781a91fcbeeb463089a954856497f

SHA1
6c4615bbb1dceb62dd279555e566edacc08a539e

SHA256
6b8d3b1a0bc4684920099dbbfd2cc6000c395c4768ed3ccba96e107d3f6fab3c

SHA512
4ca405f361db547466e3faff72d67b67d57448b1ad25729be44dc443a557ab375aa61b45f9ce9a951388fef308c796a787c48f929bebcaeb779c0e0d4c1dc03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohikel.exe

Filesize
371KB

MD5
6d3781a91fcbeeb463089a954856497f

SHA1
6c4615bbb1dceb62dd279555e566edacc08a539e

SHA256
6b8d3b1a0bc4684920099dbbfd2cc6000c395c4768ed3ccba96e107d3f6fab3c

SHA512
4ca405f361db547466e3faff72d67b67d57448b1ad25729be44dc443a557ab375aa61b45f9ce9a951388fef308c796a787c48f929bebcaeb779c0e0d4c1dc03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyquiel.exe

Filesize
653KB

MD5
18b418eb962fb64b0dbd126a94926076

SHA1
277f45757841d3b636958be89f56ebc612860e35

SHA256
eedc4732adeb9135940906069c9e50cf89b0c9bc3dfeb78239b2f74471341d2e

SHA512
9dae95e025c0f5881b2f0cc9695055e6aeaf0562a22011ae4b06f039ecf5f840bdbc1bbe482c5c6ebb6cc793b5776870ce2ac9e6cd7feaaea653e6ed718b5daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyquiel.exe

Filesize
653KB

MD5
18b418eb962fb64b0dbd126a94926076

SHA1
277f45757841d3b636958be89f56ebc612860e35

SHA256
eedc4732adeb9135940906069c9e50cf89b0c9bc3dfeb78239b2f74471341d2e

SHA512
9dae95e025c0f5881b2f0cc9695055e6aeaf0562a22011ae4b06f039ecf5f840bdbc1bbe482c5c6ebb6cc793b5776870ce2ac9e6cd7feaaea653e6ed718b5daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
657KB

MD5
50a5fa275ffbde7d3d43ad10b9696bbe

SHA1
6dea99a57ddf61ad93fd467caa56806df3b23f07

SHA256
4c8a1849a9729fc325467a53124f031dafa729222bba38f56b5552f360dcccb4

SHA512
f947cab7c2abd9b6c22a030912a2bec18c5d9bbf30b3c73034b5d9228d440950b01534f0a4c8cf7aacb51a1aa89961267d2cfd55ed1134afbab94f562dfcaea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
657KB

MD5
50a5fa275ffbde7d3d43ad10b9696bbe

SHA1
6dea99a57ddf61ad93fd467caa56806df3b23f07

SHA256
4c8a1849a9729fc325467a53124f031dafa729222bba38f56b5552f360dcccb4

SHA512
f947cab7c2abd9b6c22a030912a2bec18c5d9bbf30b3c73034b5d9228d440950b01534f0a4c8cf7aacb51a1aa89961267d2cfd55ed1134afbab94f562dfcaea9

Download Submit
memory/1544-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1544-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3948-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3948-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4324-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4324-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4996-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4996-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download