47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c

Analysis

max time kernel
154s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe
Size

627KB
MD5

90f12df2cadf4206dd44a7dd7a8eef40
SHA1

74d220d8b05216ff9072ced4f427c88a84a2d697
SHA256

47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c
SHA512

968ed42bd61e0d8b1053c9a3390bcf9435f30425be6f50a7072b2d5fd24ecce51f4ba359b4b96db96e3d218a948845491072d7fd4bda18af81aae281b6c74d7d
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4956	jylyfyt.exe
4876	~DFA234.tmp
1700	wijaubx.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA234.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe
1700	wijaubx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	~DFA234.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4956	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	82
PID 4344 wrote to memory of 4956	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	82
PID 4344 wrote to memory of 4956	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	82
PID 4956 wrote to memory of 4876	4956	jylyfyt.exe	83
PID 4956 wrote to memory of 4876	4956	jylyfyt.exe	83
PID 4956 wrote to memory of 4876	4956	jylyfyt.exe	83
PID 4344 wrote to memory of 4820	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	85
PID 4344 wrote to memory of 4820	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	85
PID 4344 wrote to memory of 4820	4344	47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe	85
PID 4876 wrote to memory of 1700	4876	~DFA234.tmp	87
PID 4876 wrote to memory of 1700	4876	~DFA234.tmp	87
PID 4876 wrote to memory of 1700	4876	~DFA234.tmp	87

C:\Users\Admin\AppData\Local\Temp\47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe
"C:\Users\Admin\AppData\Local\Temp\47c714271d734f7408df9983f3f8fe957382ac38c6c69978ea7e11846e0db10c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\jylyfyt.exe
  C:\Users\Admin\AppData\Local\Temp\jylyfyt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\~DFA234.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA234.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\wijaubx.exe
      "C:\Users\Admin\AppData\Local\Temp\wijaubx.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7b673ebdccc14568d6d56707779b15db

SHA1
c7ef9ecab1feea18b09df08c5f80cd339f099747

SHA256
af2a3e553c3f9caeae09196844997ec83cf7e040c898ce615e4021b42437cbb6

SHA512
5fc3109fd3e9abbd251d668d7d782b46fdedd14bed7645e128e2e7dd9f2c4ba846450cdbdbffc792ed8a861b3523e487daae127bb496e9e6db960c79244a6dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1288d1fd8b1f083b4ff52a4ca07e7ada

SHA1
53c8945b3d96256a840c321d1e59d19e224ff937

SHA256
3388e3415a7d7bcdd5cd7835dfba8112e3b4c3a343f3743222f9677fa5925396

SHA512
b92297f3922ecac400f1d9fb1b84511137606ff68471796b22d0eb7c1f276ce72ea72d422d614363ad54c7e49f190878187bb115398a0a823180fab8830911f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jylyfyt.exe

Filesize
631KB

MD5
c47882cfb0cd1bea17269bd101f21d40

SHA1
aa086c71ea0063f13c2c0f5bb85ba79af6e20896

SHA256
e34bb91c19876a6d472aaf3b3ab3d0747709609692666a60671c255801a76e9d

SHA512
9cecf15259d39d7f32b4b430f1cf0116fb939826ca211feebce8a00066e54a867aac909d809df729d514c45e686d3050c7346615299a410085c7c4d5f4ddc37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jylyfyt.exe

Filesize
631KB

MD5
c47882cfb0cd1bea17269bd101f21d40

SHA1
aa086c71ea0063f13c2c0f5bb85ba79af6e20896

SHA256
e34bb91c19876a6d472aaf3b3ab3d0747709609692666a60671c255801a76e9d

SHA512
9cecf15259d39d7f32b4b430f1cf0116fb939826ca211feebce8a00066e54a867aac909d809df729d514c45e686d3050c7346615299a410085c7c4d5f4ddc37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wijaubx.exe

Filesize
376KB

MD5
fe268189f6aa9556eb07cd853c2bad33

SHA1
4bde3547a1892c9628e69804b9fc18e1c032efef

SHA256
a2a0dde404c9e5603c59e93c9371da90761ef5f88039c030d3a1ffa7a2c5b03e

SHA512
99ff94c85d467a09ab684ce44d0fc9e092b04f80093cbc19e2b74d81e08c0d0d86beced100fd1822c9fe4dda20511e854a6cfd6174db8210844c30147a10ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wijaubx.exe

Filesize
376KB

MD5
fe268189f6aa9556eb07cd853c2bad33

SHA1
4bde3547a1892c9628e69804b9fc18e1c032efef

SHA256
a2a0dde404c9e5603c59e93c9371da90761ef5f88039c030d3a1ffa7a2c5b03e

SHA512
99ff94c85d467a09ab684ce44d0fc9e092b04f80093cbc19e2b74d81e08c0d0d86beced100fd1822c9fe4dda20511e854a6cfd6174db8210844c30147a10ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA234.tmp

Filesize
636KB

MD5
6de69b47117d0a2a95b30ecc096e1035

SHA1
7ac6b29c76186226a9fe62456fe7e1b2008d3b73

SHA256
688df5f31a69fcaebcacfd1d84aca606e77bd91e63dee29e39965934292878d7

SHA512
69c6f66f068044320a6f79ac1dce589fbfaa4b0b869bce6e6f4682f54d4cae5563430c822cafd357fda4016b501a8e6f707e6a30ce84eee3de42b34c0079358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA234.tmp

Filesize
636KB

MD5
6de69b47117d0a2a95b30ecc096e1035

SHA1
7ac6b29c76186226a9fe62456fe7e1b2008d3b73

SHA256
688df5f31a69fcaebcacfd1d84aca606e77bd91e63dee29e39965934292878d7

SHA512
69c6f66f068044320a6f79ac1dce589fbfaa4b0b869bce6e6f4682f54d4cae5563430c822cafd357fda4016b501a8e6f707e6a30ce84eee3de42b34c0079358c

Download Submit
memory/1700-147-0x0000000000000000-mapping.dmp

Download
memory/1700-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4344-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4344-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4820-142-0x0000000000000000-mapping.dmp

Download
memory/4876-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-137-0x0000000000000000-mapping.dmp

Download
memory/4956-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4956-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4956-133-0x0000000000000000-mapping.dmp

Download