7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc

Analysis

max time kernel
153s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe
Size

702KB
MD5

6d27377d1619e5e7b8022f3c064c0cc0
SHA1

39507f40d2f6df8da3709fc8de3e9494df97d613
SHA256

7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc
SHA512

c354f5c92f5a8bb3f7be9bfbf1c5989c3c6541d27ae79b1c3f0f1b6660b0b940f6e9b86db893ac1f214517b92f773a0f048df23d6f6c1e0e8959247df1edbdd4
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2924	gederay.exe
408	~DFA22B.tmp
4288	liizkie.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA22B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe
4288	liizkie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	~DFA22B.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2924	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	78
PID 3896 wrote to memory of 2924	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	78
PID 3896 wrote to memory of 2924	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	78
PID 2924 wrote to memory of 408	2924	gederay.exe	79
PID 2924 wrote to memory of 408	2924	gederay.exe	79
PID 2924 wrote to memory of 408	2924	gederay.exe	79
PID 3896 wrote to memory of 3816	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	80
PID 3896 wrote to memory of 3816	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	80
PID 3896 wrote to memory of 3816	3896	7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe	80
PID 408 wrote to memory of 4288	408	~DFA22B.tmp	88
PID 408 wrote to memory of 4288	408	~DFA22B.tmp	88
PID 408 wrote to memory of 4288	408	~DFA22B.tmp	88

C:\Users\Admin\AppData\Local\Temp\7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe
"C:\Users\Admin\AppData\Local\Temp\7354d802ec4adf963ce599c37bd752643d044f1c728355c829c5946c72c1e8dc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\gederay.exe
  C:\Users\Admin\AppData\Local\Temp\gederay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\liizkie.exe
      "C:\Users\Admin\AppData\Local\Temp\liizkie.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7be015d7c5d3f7ae5279d54751c324d0

SHA1
2c88fb7e84aee6a88f7ebf703af0ab8e6e190f88

SHA256
b73f0d75912fbb2ca12c1bec8708f61c05631a455b0bc65d42f1e8482c16bfba

SHA512
75bf1cc7ab0f4079a9fba3600f01af454d455104223e9d0ecb264207c3803e5343323809226498c3db7297797490c93dc283ef5f7eb636dd6e7268124c699adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\gederay.exe

Filesize
707KB

MD5
890e8966a57e348fe5a8d18fd58e0753

SHA1
d92dd5f199696544a5f860deff11420bbcbc7adf

SHA256
d4aa1068ca337e2443dd7c70c97456c2d10949fd76c49a82b8e77d188e591999

SHA512
a03a89f231783b2d0f8fc2dd7b01328251910f422a2095ff807ce1b450ac12d0787ac633d4a6ef167f6a97af817564c81d3cfeb1ab8e46a9473a8315c987aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gederay.exe

Filesize
707KB

MD5
890e8966a57e348fe5a8d18fd58e0753

SHA1
d92dd5f199696544a5f860deff11420bbcbc7adf

SHA256
d4aa1068ca337e2443dd7c70c97456c2d10949fd76c49a82b8e77d188e591999

SHA512
a03a89f231783b2d0f8fc2dd7b01328251910f422a2095ff807ce1b450ac12d0787ac633d4a6ef167f6a97af817564c81d3cfeb1ab8e46a9473a8315c987aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
8707677293ea553c4358ce33ac85e34e

SHA1
c76ffef24a7a0ec804db6491437818521a15135a

SHA256
57ef9bf84184fe48bb2418007e8f258685cce97cf9abda4d3b0678a9c7ae3b8f

SHA512
21b81cd7ee98a4b711ee210a9338c7707f7fc300cfe6b1bdd25d2ed1620247aca956849ca62f2547746ec6c3feb68dfe3c5dca204bbf965f4f135c61bb038fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\liizkie.exe

Filesize
419KB

MD5
85b7957fa6158ae2583604b671fb0e80

SHA1
3390a6792b8c4845a7e2b3b2945101f23ad99673

SHA256
d1ac12f3bd38f129189f7f712d0412316e13cfe31b5e1f7f11bf9afede5a5245

SHA512
01029d300d39326b8ed797a9a6aa94a430909f7474deafc026554c9815abefbe1a829661f70004846932506105fc606b5e0475017c0326bb056b086f49954cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\liizkie.exe

Filesize
419KB

MD5
85b7957fa6158ae2583604b671fb0e80

SHA1
3390a6792b8c4845a7e2b3b2945101f23ad99673

SHA256
d1ac12f3bd38f129189f7f712d0412316e13cfe31b5e1f7f11bf9afede5a5245

SHA512
01029d300d39326b8ed797a9a6aa94a430909f7474deafc026554c9815abefbe1a829661f70004846932506105fc606b5e0475017c0326bb056b086f49954cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp

Filesize
712KB

MD5
f0fba4e7c5e8869995c327fda5168896

SHA1
0857ff8e542aa2538f4ee26321efe74ae478ddee

SHA256
fa46963d9aa968d49ca8c966c81262ddfe1a801bf2ee9b38b81f15f479d9b117

SHA512
26bee17e8b65eeb323e0a435f72dfeeef47aa2e423ce0e14a1ddf95cdbbdec2304a8307d56f8a1f86d6d4687a96aaac65a5257ba6c89532552777f131400103d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp

Filesize
712KB

MD5
f0fba4e7c5e8869995c327fda5168896

SHA1
0857ff8e542aa2538f4ee26321efe74ae478ddee

SHA256
fa46963d9aa968d49ca8c966c81262ddfe1a801bf2ee9b38b81f15f479d9b117

SHA512
26bee17e8b65eeb323e0a435f72dfeeef47aa2e423ce0e14a1ddf95cdbbdec2304a8307d56f8a1f86d6d4687a96aaac65a5257ba6c89532552777f131400103d

Download Submit
memory/408-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/408-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2924-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2924-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3896-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3896-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4288-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4288-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download