e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943

Analysis

max time kernel
174s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe
Size

698KB
MD5

72611b377ba357a3df9144421859bd40
SHA1

052b0028b62892cfba08f5a8b09405ddacf0469a
SHA256

e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943
SHA512

f683a928530ba03f5c6e45b8ead554af0059ae8114feb0951aa8be8bf411cc3c68c62f2933fd86ff1c1ae26bf56c2c5b39162bac5d26a46c5e3d1138ba5a454f
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4972	yqakcuk.exe
4936	~DFA246.tmp
4876	docybuk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA246.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe
4876	docybuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	~DFA246.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4972	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	82
PID 3284 wrote to memory of 4972	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	82
PID 3284 wrote to memory of 4972	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	82
PID 4972 wrote to memory of 4936	4972	yqakcuk.exe	83
PID 4972 wrote to memory of 4936	4972	yqakcuk.exe	83
PID 4972 wrote to memory of 4936	4972	yqakcuk.exe	83
PID 3284 wrote to memory of 4224	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	84
PID 3284 wrote to memory of 4224	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	84
PID 3284 wrote to memory of 4224	3284	e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe	84
PID 4936 wrote to memory of 4876	4936	~DFA246.tmp	87
PID 4936 wrote to memory of 4876	4936	~DFA246.tmp	87
PID 4936 wrote to memory of 4876	4936	~DFA246.tmp	87

C:\Users\Admin\AppData\Local\Temp\e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe
"C:\Users\Admin\AppData\Local\Temp\e3a28860aa8872fb9ed84e70811f8a5886951c9242b7db552cda17281e4d6943.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\yqakcuk.exe
  C:\Users\Admin\AppData\Local\Temp\yqakcuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\docybuk.exe
      "C:\Users\Admin\AppData\Local\Temp\docybuk.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c019631cb65538cab8be2bf0e4eed5ba

SHA1
1149bc3131f5bf1fadb99043e808d701e496664e

SHA256
992e8bf5c0716602e0bf9c2afb8829f221034db1c02a368c1f82ea7057d04650

SHA512
724e318cac55f8e17cf5ecfc033929d02aadc000e035bf1240668cb2e5b327634fd3464e401f068a98b6539cd25992961911bad943d9fac8a644ab383e8c5ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\docybuk.exe

Filesize
373KB

MD5
6bad56e7b1f4a8dc652752601546779b

SHA1
fab4b0ace4ea7f6df97163b67783452fd71fc281

SHA256
245201125b87ccb644c3c3d4196198318ce5a94a1bd23228eb6cfb3555f6d035

SHA512
007579dc57b043fdf7eb9fdcf840e7ce7c7fed4d5146188b4c2b31ce1fdf9edb33d2108edf000b89f10b46df448c603b9d7a895b3b8523d7a15ce9348960077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\docybuk.exe

Filesize
373KB

MD5
6bad56e7b1f4a8dc652752601546779b

SHA1
fab4b0ace4ea7f6df97163b67783452fd71fc281

SHA256
245201125b87ccb644c3c3d4196198318ce5a94a1bd23228eb6cfb3555f6d035

SHA512
007579dc57b043fdf7eb9fdcf840e7ce7c7fed4d5146188b4c2b31ce1fdf9edb33d2108edf000b89f10b46df448c603b9d7a895b3b8523d7a15ce9348960077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
877de69e7fc6da75562465a47699568e

SHA1
ece3d90c4bf508a4db4b0cffe50e0ac0fad9beda

SHA256
f037c57ea59720ffe3799f368e7fa9a1b78d85ca571ae3e1acf32b0ebcd4fa95

SHA512
9ebd2f52f02d3c20f842e2905095c3f2eaa51a457930931be5c9e54a4cfb97e6851721f92e1009db90b95b6bf5f2f3541b53ff9ad256a56aea2d228524c7277c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqakcuk.exe

Filesize
698KB

MD5
8199a6bbcc1d7009a61cfd58a2314f1e

SHA1
8cc899ca08a18854726d9484e4fcf52d64819876

SHA256
cbd450ce66e2333cda06a2693aaf32e03deb67f02e6d20f0e24de51cae87210a

SHA512
cd17ece5e3ab9aa5d871c9e277ee9f94ccda11cef6442d3df0d73cabac4bf6aed3f0fb80f3b41cb94ab6a52af3c56b5650d0fc3715b561e5a570ee8e310fd984

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqakcuk.exe

Filesize
698KB

MD5
8199a6bbcc1d7009a61cfd58a2314f1e

SHA1
8cc899ca08a18854726d9484e4fcf52d64819876

SHA256
cbd450ce66e2333cda06a2693aaf32e03deb67f02e6d20f0e24de51cae87210a

SHA512
cd17ece5e3ab9aa5d871c9e277ee9f94ccda11cef6442d3df0d73cabac4bf6aed3f0fb80f3b41cb94ab6a52af3c56b5650d0fc3715b561e5a570ee8e310fd984

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp

Filesize
701KB

MD5
5dadc4541356b8855b81f5abeb015156

SHA1
35dda082e4806e0a35e8637935d0a4cd3d94f56a

SHA256
1bb79870550d6088ac0b0be7986fd589c69491effa9979f6a40d7360515b952a

SHA512
0e58ecae4e60cdf66302faf61837a9b2145923a8caf240095c152ecc57b5ec87b8f3184fcbf0ded73415424e5370dc61a85af02aee1faa30287553538dbf31b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp

Filesize
701KB

MD5
5dadc4541356b8855b81f5abeb015156

SHA1
35dda082e4806e0a35e8637935d0a4cd3d94f56a

SHA256
1bb79870550d6088ac0b0be7986fd589c69491effa9979f6a40d7360515b952a

SHA512
0e58ecae4e60cdf66302faf61837a9b2145923a8caf240095c152ecc57b5ec87b8f3184fcbf0ded73415424e5370dc61a85af02aee1faa30287553538dbf31b7

Download Submit
memory/3284-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3284-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4876-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4936-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4936-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4972-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4972-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download