50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e

Analysis

max time kernel
153s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe
Size

622KB
MD5

640e7206d621dcb2b325071f788ac4f0
SHA1

b1afd18037da17480fdcf9e2ee65c65c7724b6c8
SHA256

50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e
SHA512

22b298053bf3fc9247330dde2ccf8a82199a2337baebb8c3f79dd3eb2da9ccc673f747124f29f363e8d3c4b0271bff919726313e91f96aad9a8737a2892e7dfe
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2056	wimygam.exe
2508	~DFA255.tmp
260	tiydjam.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA255.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe
260	tiydjam.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	~DFA255.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2056	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	81
PID 396 wrote to memory of 2056	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	81
PID 396 wrote to memory of 2056	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	81
PID 2056 wrote to memory of 2508	2056	wimygam.exe	84
PID 2056 wrote to memory of 2508	2056	wimygam.exe	84
PID 2056 wrote to memory of 2508	2056	wimygam.exe	84
PID 396 wrote to memory of 5048	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	85
PID 396 wrote to memory of 5048	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	85
PID 396 wrote to memory of 5048	396	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	85
PID 2508 wrote to memory of 260	2508	~DFA255.tmp	87
PID 2508 wrote to memory of 260	2508	~DFA255.tmp	87
PID 2508 wrote to memory of 260	2508	~DFA255.tmp	87

C:\Users\Admin\AppData\Local\Temp\50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe
"C:\Users\Admin\AppData\Local\Temp\50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\wimygam.exe
  C:\Users\Admin\AppData\Local\Temp\wimygam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\tiydjam.exe
      "C:\Users\Admin\AppData\Local\Temp\tiydjam.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
18c2cadb985dc805a428ea9b8ce51d24

SHA1
a3867e9d0bf692e1e15e9e327ffdeef7ccf58b11

SHA256
76df071122cbb5cd3ae83cc2256ebdfedfa5dbf49e14c5c2f227fe4cb4cc0b61

SHA512
27d403fcccd43d95097ee9448378152bc524282f3fb305fff3cf82def5d4de658e378ab188362f7dd596ea6ec6ae62fa79dfac5ed8588159a2d9aa94f4eaf821

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
379b495fb86b3031458cf11b0820d9aa

SHA1
6d9b245ca7de2ca47ac73b3be9e703af1f2dd4dd

SHA256
e398be32b6a3620e3a165bfc4e5cb8627fd2e3cffb1bf44579143f4580500cfe

SHA512
b46f089f0c01f71cf85d80a497b3be3061e7a01836fde412583b23677c541ffeb6350f3a34ee10afe9965e7b2f94998203214ccd0b17d90d64fee6bb5c6e803f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiydjam.exe

Filesize
397KB

MD5
fce7051dcc8507fc29b898aa7c39ec5e

SHA1
0770e3ba344b7bbdf3b89f92884a70ca631dfaf5

SHA256
2fed711003e688c2761efaf3615781f1e78844d4dbc817d564f06c92bcdb2a44

SHA512
4d6422b29c6e14a709802eb814cecb97b9d513264ef5cfa4468d3ffc7324a76e97fcd8042a842e9fe0c254e5df599c477d61308c589c170ddaa6d2e6a1d65a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiydjam.exe

Filesize
397KB

MD5
fce7051dcc8507fc29b898aa7c39ec5e

SHA1
0770e3ba344b7bbdf3b89f92884a70ca631dfaf5

SHA256
2fed711003e688c2761efaf3615781f1e78844d4dbc817d564f06c92bcdb2a44

SHA512
4d6422b29c6e14a709802eb814cecb97b9d513264ef5cfa4468d3ffc7324a76e97fcd8042a842e9fe0c254e5df599c477d61308c589c170ddaa6d2e6a1d65a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wimygam.exe

Filesize
625KB

MD5
b0b35aad40f6fd2164ef2de8bbae8bbd

SHA1
11fbce1d6c17d78cdbc06f4c3f1c5c0cb6093270

SHA256
bf5e1dc4ffc97e9fef14ae969ac1f7535f998c8a4d1f8441e853beba5a391c14

SHA512
c533d9746874c3f1d9beca40eba4c3ffe8cd54da661555b558659c4b2965ccef3421a52a95e5da79f94557e2ac62a5b80858f68255b11a00025ddf5add876999

Download Submit
C:\Users\Admin\AppData\Local\Temp\wimygam.exe

Filesize
625KB

MD5
b0b35aad40f6fd2164ef2de8bbae8bbd

SHA1
11fbce1d6c17d78cdbc06f4c3f1c5c0cb6093270

SHA256
bf5e1dc4ffc97e9fef14ae969ac1f7535f998c8a4d1f8441e853beba5a391c14

SHA512
c533d9746874c3f1d9beca40eba4c3ffe8cd54da661555b558659c4b2965ccef3421a52a95e5da79f94557e2ac62a5b80858f68255b11a00025ddf5add876999

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp

Filesize
632KB

MD5
c3c7c8fdea123f43c4c9d237a0b2acd6

SHA1
2ed671444da3bbdf85a9b3a0c42ad8957dfe1342

SHA256
9541097ad48d47e7348306f8e8553f0e6ee211e8e7ad202159a4b3d0d4e504ee

SHA512
2ef5b60841617d3b922398373df272fe4aa9a5c633d05b1326e664ad16c8b878f9304513c7c4ddbbe25a2566d935a4c9883017195cbee228409534a1bba578ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp

Filesize
632KB

MD5
c3c7c8fdea123f43c4c9d237a0b2acd6

SHA1
2ed671444da3bbdf85a9b3a0c42ad8957dfe1342

SHA256
9541097ad48d47e7348306f8e8553f0e6ee211e8e7ad202159a4b3d0d4e504ee

SHA512
2ef5b60841617d3b922398373df272fe4aa9a5c633d05b1326e664ad16c8b878f9304513c7c4ddbbe25a2566d935a4c9883017195cbee228409534a1bba578ef

Download Submit
memory/260-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/396-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/396-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/396-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2056-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2508-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download