32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe
Size

665KB
MD5

65c38931a068ff307a7aec5162768380
SHA1

3632b775ad245e72498b5208b18aa89b77fa3a6e
SHA256

32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5
SHA512

8b1e2e898167eab3c21fadf43e906b749168047f22e96dda39f18a240e2b0f3e1f4e2d26039a4894414787c81ae0987fdece89a3acc8d7612182ac109841c6d9
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4932	esgouua.exe
4864	~DFA23B.tmp
3904	jetipua.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA23B.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe
3904	jetipua.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	~DFA23B.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4932	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	82
PID 4480 wrote to memory of 4932	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	82
PID 4480 wrote to memory of 4932	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	82
PID 4932 wrote to memory of 4864	4932	esgouua.exe	83
PID 4932 wrote to memory of 4864	4932	esgouua.exe	83
PID 4932 wrote to memory of 4864	4932	esgouua.exe	83
PID 4480 wrote to memory of 1540	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	84
PID 4480 wrote to memory of 1540	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	84
PID 4480 wrote to memory of 1540	4480	32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe	84
PID 4864 wrote to memory of 3904	4864	~DFA23B.tmp	93
PID 4864 wrote to memory of 3904	4864	~DFA23B.tmp	93
PID 4864 wrote to memory of 3904	4864	~DFA23B.tmp	93

C:\Users\Admin\AppData\Local\Temp\32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe
"C:\Users\Admin\AppData\Local\Temp\32925179595dae5b9fffb38a479bf593e3fce56e36af4492c01c66391c8a60f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\esgouua.exe
  C:\Users\Admin\AppData\Local\Temp\esgouua.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\~DFA23B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23B.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\jetipua.exe
      "C:\Users\Admin\AppData\Local\Temp\jetipua.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
78249c984de763bc68e001ba09b06565

SHA1
2905c891c9fc353ef16de6d3ed6a08b585660312

SHA256
6298dad6b25a22de70e01f825697ff4318e38750992866e5dcb7a8a716265054

SHA512
1b3236dcb8cb5163e9a6f4235e825b0b73c994e24478dd23b2ccf114b9a7e441da2004e748d1d2d62cde6e733ec1e1550e7ebeab796c10543630766880603bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgouua.exe

Filesize
666KB

MD5
2cd7001d6c16e9d8bfe18993faf95b49

SHA1
d22f33e3b0e687527869a0a6a59dcdd98d55966f

SHA256
631483e2f32cdc66bb98e8e5c12cced0ebb0bbf2df6a1b721e09e03d8df1dc26

SHA512
d49885d3a9b020cb26ea70bb000586db612b395d430972b87646af487e685c906dc6571eb7107a7e85c3d1f0eb328e8deca39f2083e2f5fef06ef25f785232e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgouua.exe

Filesize
666KB

MD5
2cd7001d6c16e9d8bfe18993faf95b49

SHA1
d22f33e3b0e687527869a0a6a59dcdd98d55966f

SHA256
631483e2f32cdc66bb98e8e5c12cced0ebb0bbf2df6a1b721e09e03d8df1dc26

SHA512
d49885d3a9b020cb26ea70bb000586db612b395d430972b87646af487e685c906dc6571eb7107a7e85c3d1f0eb328e8deca39f2083e2f5fef06ef25f785232e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
417d4a3cb8d395e2fa693f2fbb4b16ac

SHA1
c85cf9bf6fd81e94c799f5d9f591a295a84f56be

SHA256
d44187125a5aa83356401e1862f0fbcf7808aef2b6b436d73b3491ba8aab6bdf

SHA512
5b4fde231c2e682e2749b1174a647e0cdf55fc76a938b559c8100fa988b0599f04857ffaada2577556b2412e9f13f1006412ab6d6cdfd22230c2b4bedc24929b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jetipua.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jetipua.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23B.tmp

Filesize
667KB

MD5
fb8b526538166a2b76005d48f7c81810

SHA1
89235ba733a0ca57a1f7758e0fad13770bd7b474

SHA256
d90d8666ccf2d2ce1def9f026ed6ca10d401112bf11069d0508fdcbadc5e99c8

SHA512
cf45709f15a316955b0f5ffb1c93c9e60c039f5baaa89ae81c0d33070e1abaaf56086ae103809dc53362ae16153c8ae4953f309e2f58264fe98abddfcdb43c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23B.tmp

Filesize
667KB

MD5
fb8b526538166a2b76005d48f7c81810

SHA1
89235ba733a0ca57a1f7758e0fad13770bd7b474

SHA256
d90d8666ccf2d2ce1def9f026ed6ca10d401112bf11069d0508fdcbadc5e99c8

SHA512
cf45709f15a316955b0f5ffb1c93c9e60c039f5baaa89ae81c0d33070e1abaaf56086ae103809dc53362ae16153c8ae4953f309e2f58264fe98abddfcdb43c9d

Download Submit
memory/3904-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4480-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4480-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4864-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download