84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
Size

750KB
MD5

91396b48fe4097dc4cac1236734d9030
SHA1

f60b7690a14c7680b80508bc832bb7fb9e032183
SHA256

84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6
SHA512

4680c53a7b896a9f7cfd316bffbc801e35cc6ffbde0c86278a136a73fab891765b7303da1104e9756cabc0ab1711a9087d681abadc5b9d780dc6a4968457baf0
SSDEEP

12288:RDGJuO8TJMn/h0a8ntcw/zfZkjN3lUmF2bCPVjQiuOwJN48RWwyuEyuUDodXGEXS:RSJu7AhV8tcw7Z+NRF2uP65FJtwwZ5oY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2476	exing.exe
4560	xakeso.exe
3428	decim.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	exing.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	xakeso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe
3428	decim.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2476	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	80
PID 2196 wrote to memory of 2476	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	80
PID 2196 wrote to memory of 2476	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	80
PID 2196 wrote to memory of 4008	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	81
PID 2196 wrote to memory of 4008	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	81
PID 2196 wrote to memory of 4008	2196	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	81
PID 2476 wrote to memory of 4560	2476	exing.exe	83
PID 2476 wrote to memory of 4560	2476	exing.exe	83
PID 2476 wrote to memory of 4560	2476	exing.exe	83
PID 4560 wrote to memory of 3428	4560	xakeso.exe	91
PID 4560 wrote to memory of 3428	4560	xakeso.exe	91
PID 4560 wrote to memory of 3428	4560	xakeso.exe	91
PID 4560 wrote to memory of 2184	4560	xakeso.exe	92
PID 4560 wrote to memory of 2184	4560	xakeso.exe	92
PID 4560 wrote to memory of 2184	4560	xakeso.exe	92

C:\Users\Admin\AppData\Local\Temp\84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
"C:\Users\Admin\AppData\Local\Temp\84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\exing.exe
  "C:\Users\Admin\AppData\Local\Temp\exing.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\xakeso.exe
    "C:\Users\Admin\AppData\Local\Temp\xakeso.exe" OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\decim.exe
      "C:\Users\Admin\AppData\Local\Temp\decim.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
665d40f83d93cbe3d8c9e78cda8c0d48

SHA1
b4a888f0b7da943559680895f76d40851034f733

SHA256
7bc428a5a5f09ad377d471507948e7aeb19f07972509771303efdec672b478e3

SHA512
a39052e985d9d223be14c7867698d936f69d6a1f6a14862b5b93293f3ddc7d55e63b25f96a186ed05d83ff248587c411794d5bb8e9d9670fc2eaa8fd1930637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7ed2ecb6300d880a1f0db113631f8716

SHA1
2a96370ab7dd5eeb456d6d6d6ad177c522364373

SHA256
f7b2a1d6d3c6e6663e25898f34beb8a0a2be3cf3c651916ad5f9dd112c457506

SHA512
eb90647df1573ca1c92498da0cc37fdcab6852e4dbd9afc8ea5452df1a4165bde8d67cc813a00ab9a298e22794facd8363d9558987d5a2b8d744609a90091ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\decim.exe

Filesize
652KB

MD5
9d63ea6be3c239b05568d5de4edb08dc

SHA1
881e289b02b556b31d222f48bd4c08032df73cba

SHA256
0c8e7db7a9e459b5a63d5869b5bfda978c214a73ce26daa9046670d801381a35

SHA512
6d2b26fc763d8b3020ad9ec458178b95feacbc4436739d791d0e5a65e707acf879ffbe76fb9144797dd8a183594357ff41a0c414e94de0907152c710ef254da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\decim.exe

Filesize
652KB

MD5
9d63ea6be3c239b05568d5de4edb08dc

SHA1
881e289b02b556b31d222f48bd4c08032df73cba

SHA256
0c8e7db7a9e459b5a63d5869b5bfda978c214a73ce26daa9046670d801381a35

SHA512
6d2b26fc763d8b3020ad9ec458178b95feacbc4436739d791d0e5a65e707acf879ffbe76fb9144797dd8a183594357ff41a0c414e94de0907152c710ef254da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exing.exe

Filesize
751KB

MD5
8f2c13736f3e952b44d2a3b925b588c7

SHA1
4cb88fb02e9ef271f887fe9c3bd21b9ccc05936c

SHA256
6895676a92ff902f7c23ba79cb9082cc13d7b4476403507cc23890c2a0de1a48

SHA512
a128844cb91454db3e3a14b3d25f1eb7cb3e72f63db130a6dc0d7ffe36b4be2fb9b9605d29849cb0b3d3a7ce2010065ff7667a05c58a15b45abe86c24a572b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exing.exe

Filesize
751KB

MD5
8f2c13736f3e952b44d2a3b925b588c7

SHA1
4cb88fb02e9ef271f887fe9c3bd21b9ccc05936c

SHA256
6895676a92ff902f7c23ba79cb9082cc13d7b4476403507cc23890c2a0de1a48

SHA512
a128844cb91454db3e3a14b3d25f1eb7cb3e72f63db130a6dc0d7ffe36b4be2fb9b9605d29849cb0b3d3a7ce2010065ff7667a05c58a15b45abe86c24a572b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a97931a521de97f770b18c819e4b7e9e

SHA1
62147986d47f9dc7ffb418bddde7f343e2e789c2

SHA256
760389d4e0d980424f2e9dc833adf410546c75aa6d0e2570b3b822fe4187b9c6

SHA512
0e60b3a849cd4e57f22050be3b9114aed2b1c844d57eb850534660ceda0f764e307192a329d077ddaf02dcf5e8e98d0eb817d06e6a1cc95169d58927721be249

Download Submit
C:\Users\Admin\AppData\Local\Temp\xakeso.exe

Filesize
751KB

MD5
8f2c13736f3e952b44d2a3b925b588c7

SHA1
4cb88fb02e9ef271f887fe9c3bd21b9ccc05936c

SHA256
6895676a92ff902f7c23ba79cb9082cc13d7b4476403507cc23890c2a0de1a48

SHA512
a128844cb91454db3e3a14b3d25f1eb7cb3e72f63db130a6dc0d7ffe36b4be2fb9b9605d29849cb0b3d3a7ce2010065ff7667a05c58a15b45abe86c24a572b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xakeso.exe

Filesize
751KB

MD5
8f2c13736f3e952b44d2a3b925b588c7

SHA1
4cb88fb02e9ef271f887fe9c3bd21b9ccc05936c

SHA256
6895676a92ff902f7c23ba79cb9082cc13d7b4476403507cc23890c2a0de1a48

SHA512
a128844cb91454db3e3a14b3d25f1eb7cb3e72f63db130a6dc0d7ffe36b4be2fb9b9605d29849cb0b3d3a7ce2010065ff7667a05c58a15b45abe86c24a572b4a

Download Submit
memory/2196-138-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2196-132-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2476-144-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2476-139-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3428-153-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/4560-150-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4560-145-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download