5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
Size

651KB
MD5

626bc30f4b6d6c59694f9e494ccbd050
SHA1

841fdbc179c2b007bb6c5ed2199893f9a8a3a797
SHA256

5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db
SHA512

4e65d6e93ad7d9d65e3a7af597b9fcdab123c3b44f343e6a29d13ef1636893d4478378f002a061595dc29ba9ed9413059d9bc0878d1ff91ef38678526684992a
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1332	obnuoe.exe
4604	~DFA22D.tmp
4676	ywboce.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA22D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe
4676	ywboce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	~DFA22D.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1332	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	82
PID 4596 wrote to memory of 1332	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	82
PID 4596 wrote to memory of 1332	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	82
PID 1332 wrote to memory of 4604	1332	obnuoe.exe	83
PID 1332 wrote to memory of 4604	1332	obnuoe.exe	83
PID 1332 wrote to memory of 4604	1332	obnuoe.exe	83
PID 4596 wrote to memory of 4996	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	84
PID 4596 wrote to memory of 4996	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	84
PID 4596 wrote to memory of 4996	4596	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	84
PID 4604 wrote to memory of 4676	4604	~DFA22D.tmp	87
PID 4604 wrote to memory of 4676	4604	~DFA22D.tmp	87
PID 4604 wrote to memory of 4676	4604	~DFA22D.tmp	87

C:\Users\Admin\AppData\Local\Temp\5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
"C:\Users\Admin\AppData\Local\Temp\5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\obnuoe.exe
  C:\Users\Admin\AppData\Local\Temp\obnuoe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\ywboce.exe
      "C:\Users\Admin\AppData\Local\Temp\ywboce.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7c33e2b7895de8145c857041edf1405e

SHA1
319784768c34645648abb5762596ab878048b5ba

SHA256
5ffd18b34fbcd3f4dc2892c655680f9de30ebc0fbb75dc1f5991db8533678f15

SHA512
2c761c7a33264acc20304629bb595a8ecbdbd55ed305fbad468c52709d0b1ada98af2c296ef4d2a350fe46ca87be5a351bddc7822f3647455fd73283ae4ffd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b717d46efee6471b5da9df8811b59b71

SHA1
8cf8cd12d9a60d96438fbddc5b4f2471c854dfe3

SHA256
d7862b3a00debf10eb780bf46f5a16637e226465700a595a5ae2285f97c35631

SHA512
31afb5e99ce0c410cfa60606f3e3f0627ba33e76ae1acfa9b37d005dc1a3c0ba52523c2e2163191d7a3578aa8c470207a3b71106f0853e1f07e5602aff1ce1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\obnuoe.exe

Filesize
659KB

MD5
cf4352338f643f61c3fcfa200a15996c

SHA1
c70da8595775239fa3a934184037e1785451a83e

SHA256
106f51d1b3b62f6a9d8d912a2b63e64fb08c8a8e8a282020e111e4407e543252

SHA512
74dd4bfe2f417c48cebbc3300e5135ab971f5d23a0e22341627d5fb7f9ba81023bb16620b43b76341af3e8e3e5f84e09e7576a8e8c3986dc17d1a0310e17be06

Download Submit
C:\Users\Admin\AppData\Local\Temp\obnuoe.exe

Filesize
659KB

MD5
cf4352338f643f61c3fcfa200a15996c

SHA1
c70da8595775239fa3a934184037e1785451a83e

SHA256
106f51d1b3b62f6a9d8d912a2b63e64fb08c8a8e8a282020e111e4407e543252

SHA512
74dd4bfe2f417c48cebbc3300e5135ab971f5d23a0e22341627d5fb7f9ba81023bb16620b43b76341af3e8e3e5f84e09e7576a8e8c3986dc17d1a0310e17be06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywboce.exe

Filesize
410KB

MD5
de78e0ef9996b95e41ba187574259ff7

SHA1
a4da0f25d29dfb24b1d832ab18f0e6de3ed1d4f4

SHA256
bda7e5a41fce958d76ccbb25103cee4205b598d37eb942b0cd7d9cca3d57fcd1

SHA512
a6f409300dfa3c083a4637c1af7321b5e0063c949b54ecaec7561d19488e720559bf233f282f22e0f38734cbcf523c0fc86758f3092dd9164109e178c9d982b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywboce.exe

Filesize
410KB

MD5
de78e0ef9996b95e41ba187574259ff7

SHA1
a4da0f25d29dfb24b1d832ab18f0e6de3ed1d4f4

SHA256
bda7e5a41fce958d76ccbb25103cee4205b598d37eb942b0cd7d9cca3d57fcd1

SHA512
a6f409300dfa3c083a4637c1af7321b5e0063c949b54ecaec7561d19488e720559bf233f282f22e0f38734cbcf523c0fc86758f3092dd9164109e178c9d982b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp

Filesize
666KB

MD5
b99c6c8dc4cb44c7f91557e2a8f1d6f3

SHA1
9206e2d299ae37fced3ebd35739f132ae608fcaa

SHA256
29e9d9467b1368bce06c92a24a7c8a23cbb0b9c722b98c62286ba41b6e94de99

SHA512
f2bee05a667d4b78e4f89930793c63dac4cdd9483ea654c30ae9529b5e19f2a6445f24922b35f9c751b94ecf571bdf7f653aedd2f0d168628129a30530beb2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp

Filesize
666KB

MD5
b99c6c8dc4cb44c7f91557e2a8f1d6f3

SHA1
9206e2d299ae37fced3ebd35739f132ae608fcaa

SHA256
29e9d9467b1368bce06c92a24a7c8a23cbb0b9c722b98c62286ba41b6e94de99

SHA512
f2bee05a667d4b78e4f89930793c63dac4cdd9483ea654c30ae9529b5e19f2a6445f24922b35f9c751b94ecf571bdf7f653aedd2f0d168628129a30530beb2e1

Download Submit
memory/1332-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1332-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4596-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4596-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4604-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4604-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4676-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4676-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download