0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428

Analysis

max time kernel
159s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
Size

642KB
MD5

627345d0248e58651803ad8a242eb390
SHA1

4a8600cd8c3edd61822e4c0ccbcc543356f496f2
SHA256

0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428
SHA512

f26a255b58c87ed89cfb16ea60eca069b8e7a53dba68b347449646c148d2df3fb567fd12ab5e6ab6639d6fbd5e6faba2e53d601dfe7ac9edefa33e8a482e5905
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4988	ribodi.exe
4912	~DFA24C.tmp
3748	berywi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA24C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe
3748	berywi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	~DFA24C.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4988	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	80
PID 1448 wrote to memory of 4988	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	80
PID 1448 wrote to memory of 4988	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	80
PID 4988 wrote to memory of 4912	4988	ribodi.exe	81
PID 4988 wrote to memory of 4912	4988	ribodi.exe	81
PID 4988 wrote to memory of 4912	4988	ribodi.exe	81
PID 1448 wrote to memory of 5008	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	82
PID 1448 wrote to memory of 5008	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	82
PID 1448 wrote to memory of 5008	1448	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	82
PID 4912 wrote to memory of 3748	4912	~DFA24C.tmp	92
PID 4912 wrote to memory of 3748	4912	~DFA24C.tmp	92
PID 4912 wrote to memory of 3748	4912	~DFA24C.tmp	92

C:\Users\Admin\AppData\Local\Temp\0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
"C:\Users\Admin\AppData\Local\Temp\0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\ribodi.exe
  C:\Users\Admin\AppData\Local\Temp\ribodi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\~DFA24C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24C.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\berywi.exe
      "C:\Users\Admin\AppData\Local\Temp\berywi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
44ad11dacbf2c796190ac63dc1f33329

SHA1
c1be7ada5fc583f04d6ff910e3e1fdfdb835d2b1

SHA256
1f3945403ca02cec2a5b90dee24b50167d1fd18bc61f245644e76f4def24a001

SHA512
ec42c28b0f5f75e892da7eae282091d46bd8c596223809f19637643338122226837e921352a10df5d140db2da9557863d78cac33a49d5608348224d71474a172

Download Submit
C:\Users\Admin\AppData\Local\Temp\berywi.exe

Filesize
379KB

MD5
26c0b56cf4692255f8df5708eac55f74

SHA1
88cd85d52f89e71b8e1bd9e4950fa0246c570be3

SHA256
71a87227c47ad8ebe2f82ef900a526793e7b9060de809e284b9c80fc8e06dc16

SHA512
00280e5e1c2ed26205be4af0e9d2d1eaff76278e55f98c6ff5d513c54cb4c87ef03f5cdee8e7e9e597695248669047eb361df8fe7e2b2281f744597a3a9285a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\berywi.exe

Filesize
379KB

MD5
26c0b56cf4692255f8df5708eac55f74

SHA1
88cd85d52f89e71b8e1bd9e4950fa0246c570be3

SHA256
71a87227c47ad8ebe2f82ef900a526793e7b9060de809e284b9c80fc8e06dc16

SHA512
00280e5e1c2ed26205be4af0e9d2d1eaff76278e55f98c6ff5d513c54cb4c87ef03f5cdee8e7e9e597695248669047eb361df8fe7e2b2281f744597a3a9285a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
535e31780d6faf988350f3ffd46b1ff5

SHA1
9fa8b289083adacad8ee6d653e8ed400fc902588

SHA256
0d751315c147258242fde6991b693eb45fb567ccfa41fc1ff77e4f0a2934071b

SHA512
d31e031dbe6a2ad3db940594c520ab89b2054b441a154bbeb0eecb2d21b02c27be152ec6a3ccbf89afe42d0c471d87d46681ed7d0f32eeecea21208e9cff74a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ribodi.exe

Filesize
650KB

MD5
8656802728956e652f1479aaf474cd53

SHA1
19d32f868da8ece17a477c9e5b23ff2ebf1ccd3b

SHA256
e0cbd849cbed060d8c37f812a07b3c8439479e55ab121097694d5b0d2bc7ed75

SHA512
4c0867cdfc251e9325a3de5889c6aadb855b2ce1dc65cfa9b74c0ffb54f8c3aa82b950bc09cb8ff1fcd0c7c9aab2b946e7564b8decf2dd0f686a6341bd12c202

Download Submit
C:\Users\Admin\AppData\Local\Temp\ribodi.exe

Filesize
650KB

MD5
8656802728956e652f1479aaf474cd53

SHA1
19d32f868da8ece17a477c9e5b23ff2ebf1ccd3b

SHA256
e0cbd849cbed060d8c37f812a07b3c8439479e55ab121097694d5b0d2bc7ed75

SHA512
4c0867cdfc251e9325a3de5889c6aadb855b2ce1dc65cfa9b74c0ffb54f8c3aa82b950bc09cb8ff1fcd0c7c9aab2b946e7564b8decf2dd0f686a6341bd12c202

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24C.tmp

Filesize
658KB

MD5
469cc1126506531fd93237807bb72e1d

SHA1
4848e5f0bdaa3a6709ecd69748fedecffedb9c17

SHA256
610d4a98d1876ed43417ae23b7361ef00fed359014a4d2e023fc65b1fee06797

SHA512
d73720a28eda1e7c8c1f8baee8716d45482c8ef8a1ec3261a8654d71c980b09efdb2edbacf54de54d43700a345bd9bcf591df9a870635f6cfd4fbf1124a4add2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24C.tmp

Filesize
658KB

MD5
469cc1126506531fd93237807bb72e1d

SHA1
4848e5f0bdaa3a6709ecd69748fedecffedb9c17

SHA256
610d4a98d1876ed43417ae23b7361ef00fed359014a4d2e023fc65b1fee06797

SHA512
d73720a28eda1e7c8c1f8baee8716d45482c8ef8a1ec3261a8654d71c980b09efdb2edbacf54de54d43700a345bd9bcf591df9a870635f6cfd4fbf1124a4add2

Download Submit
memory/1448-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1448-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3748-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3748-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4912-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4912-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4988-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4988-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download