bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
Size

625KB
MD5

813a014ec0041c5474e65f9f4016e8b0
SHA1

650590b2cb664776910fb1d57f8ae343096ed276
SHA256

bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c
SHA512

4cde9965c0d6e2cf0df79886fd27a9d59f0757c7814aa976226e7b75f46ae0ce023fb9e3bf253c3c305320e418958630d065fa170223b876328ee54b42021a9c
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5096	luivqeu.exe
456	~DFA23E.tmp
2668	deatma.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA23E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe
2668	deatma.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	~DFA23E.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 5096	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	83
PID 4920 wrote to memory of 5096	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	83
PID 4920 wrote to memory of 5096	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	83
PID 5096 wrote to memory of 456	5096	luivqeu.exe	84
PID 5096 wrote to memory of 456	5096	luivqeu.exe	84
PID 5096 wrote to memory of 456	5096	luivqeu.exe	84
PID 4920 wrote to memory of 540	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	85
PID 4920 wrote to memory of 540	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	85
PID 4920 wrote to memory of 540	4920	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	85
PID 456 wrote to memory of 2668	456	~DFA23E.tmp	89
PID 456 wrote to memory of 2668	456	~DFA23E.tmp	89
PID 456 wrote to memory of 2668	456	~DFA23E.tmp	89

C:\Users\Admin\AppData\Local\Temp\bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\luivqeu.exe
  C:\Users\Admin\AppData\Local\Temp\luivqeu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\deatma.exe
      "C:\Users\Admin\AppData\Local\Temp\deatma.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
0ab879116d2f832638e2279a84b4d158

SHA1
eeb6689135b759308a7c8b18c9d7128689333faf

SHA256
9d77723737fff556ad558ee832086b511505e2ac9ed526cc3665b3441f4e1a22

SHA512
27217f1ab2e62d7ffd4504057c3ead44dced4297e23df7f2b8b8950842b861c3aac2eb7f5e5bc440548c01fdf30cb59d5c3b2124715feab285e29e0f0e995b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\deatma.exe

Filesize
395KB

MD5
2af1e4f09dc3348e95871dea43f8cb66

SHA1
0914990348c6bc95459abe391c8c8b42e1438243

SHA256
3351c06ddb03049b9063a78894dfa879191e3ca8842f38cbf1aecec1fb2527ff

SHA512
45355c778e07515c88851be803463030a4ad07cf0907eac4f08342d19e87db3c349597a5367e100bc5b797dbda4a85633ebb401d574e5a8fc8a8d2c3c293131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deatma.exe

Filesize
395KB

MD5
2af1e4f09dc3348e95871dea43f8cb66

SHA1
0914990348c6bc95459abe391c8c8b42e1438243

SHA256
3351c06ddb03049b9063a78894dfa879191e3ca8842f38cbf1aecec1fb2527ff

SHA512
45355c778e07515c88851be803463030a4ad07cf0907eac4f08342d19e87db3c349597a5367e100bc5b797dbda4a85633ebb401d574e5a8fc8a8d2c3c293131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
310d326bd65ffd0417483733865e9c59

SHA1
6b6abe4f8f2bbb1302f4a3152109afdd9964adfc

SHA256
0d51bf2da08a1e67c529a9c2c3986e54b2a628acf1e93ab1a5e083dacbf73e18

SHA512
70b2d91e2e12f566d8586d4379c541c91c0606506c7f8bf72a6b8fb53abd9557a71e6795c0ceedcc19f3d112ee1afd193217ec515fabc176af0cf7658cce7211

Download Submit
C:\Users\Admin\AppData\Local\Temp\luivqeu.exe

Filesize
634KB

MD5
b0a363fb6273ce6c820a9333be1f8bdf

SHA1
9ad2876ff9a2f16c35347e9a192473a566a56200

SHA256
d499aae054dbcbd12f354b23543ec315c2bd938eb3298fdc68e5dd9d107d5cfa

SHA512
ae5644d5c87f341f88c78ae514d5b5d993cae8c5edfc42776dad4e0c2415333b01254cd37d633b226d676814411e5c649bdf9d7a4002406bbb109b0669f3cdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\luivqeu.exe

Filesize
634KB

MD5
b0a363fb6273ce6c820a9333be1f8bdf

SHA1
9ad2876ff9a2f16c35347e9a192473a566a56200

SHA256
d499aae054dbcbd12f354b23543ec315c2bd938eb3298fdc68e5dd9d107d5cfa

SHA512
ae5644d5c87f341f88c78ae514d5b5d993cae8c5edfc42776dad4e0c2415333b01254cd37d633b226d676814411e5c649bdf9d7a4002406bbb109b0669f3cdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp

Filesize
638KB

MD5
f3381b5df1c254bc4b77d351ab12c729

SHA1
5a0ef62e0134dca5ddd6ff4f97e7fd1acd6938c5

SHA256
5575af88be658c0753058c111c80bd9c0a3c03133411736a14e8560156a7bc6e

SHA512
81bff97563133f360214cfbf65d909507c38ef8be42c1c59e78de26af578f99b3f3c8ae6f7df7c51382289b0fdefe1ad2cd747e02c72cf52ce91f12d1a442de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23E.tmp

Filesize
638KB

MD5
f3381b5df1c254bc4b77d351ab12c729

SHA1
5a0ef62e0134dca5ddd6ff4f97e7fd1acd6938c5

SHA256
5575af88be658c0753058c111c80bd9c0a3c03133411736a14e8560156a7bc6e

SHA512
81bff97563133f360214cfbf65d909507c38ef8be42c1c59e78de26af578f99b3f3c8ae6f7df7c51382289b0fdefe1ad2cd747e02c72cf52ce91f12d1a442de1

Download Submit
memory/456-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/456-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/456-137-0x0000000000000000-mapping.dmp

Download
memory/540-141-0x0000000000000000-mapping.dmp

Download
memory/2668-146-0x0000000000000000-mapping.dmp

Download
memory/2668-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4920-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4920-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5096-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5096-133-0x0000000000000000-mapping.dmp

Download