2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c

Analysis

max time kernel
153s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
Size

675KB
MD5

8014c7f4da24d190fe1b43cde245b800
SHA1

270d2c28ce05e1cdd55ab6af1ff6031f09254a09
SHA256

2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c
SHA512

96c8568f47887f5f9f154fd74c4371bbc01593a1e848c93b6f24e2513c1f9afbfece8d927e2853e1dfb4a1304d12fea48875a10702a2a15649e7645285e23da3
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4936	moapny.exe
1332	~DFA239.tmp
3892	xyijbo.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA239.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe
3892	xyijbo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	~DFA239.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4936	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	81
PID 4944 wrote to memory of 4936	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	81
PID 4944 wrote to memory of 4936	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	81
PID 4936 wrote to memory of 1332	4936	moapny.exe	82
PID 4936 wrote to memory of 1332	4936	moapny.exe	82
PID 4936 wrote to memory of 1332	4936	moapny.exe	82
PID 4944 wrote to memory of 4140	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	83
PID 4944 wrote to memory of 4140	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	83
PID 4944 wrote to memory of 4140	4944	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	83
PID 1332 wrote to memory of 3892	1332	~DFA239.tmp	93
PID 1332 wrote to memory of 3892	1332	~DFA239.tmp	93
PID 1332 wrote to memory of 3892	1332	~DFA239.tmp	93

C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\moapny.exe
  C:\Users\Admin\AppData\Local\Temp\moapny.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\xyijbo.exe
      "C:\Users\Admin\AppData\Local\Temp\xyijbo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a10cca7a0d216ea139273da9e3a9d226

SHA1
3d90f81ba09fba6e2f72f4862519d93e043c4677

SHA256
8139323409b73f9dd0287cdb367e030fed6b2ee0c44ac0d22653a83d798ac227

SHA512
506f03074b857bed4d9f58d41e396e8aa943282dc654c0733b6c0916415e2cb997140dd1fb2144c0283a8179d0aef9ef51d4dbe8397596589d7f71effe002d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
ff63889f4fa941f8b03db43196cdaf0d

SHA1
758213db0b335f92a15baa40f128a948a5236eef

SHA256
fafd3ce73db76a2cddc16eddc71605daa0c1baacdddce9ef93cde042929170d0

SHA512
a7d30f406e0bf4eba263e7fd6674352a75725d125af6bdfaec2fb0bf402e1d086549772a6c980ee73106ff54070f3cb76210d8ab8a68ecd4fd48e9d3ac4aec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\moapny.exe

Filesize
683KB

MD5
8d3b468cfa459a2be58a47f7c3041ad7

SHA1
f32757483c6f764621545a0d4378d59ad117f285

SHA256
f082fe9b4a7a906ddf63e633f9257c1947b8c25e9bf1f289cb857841830a0ad6

SHA512
b6a40bbf0497dae38adfd0a8a44872091dd2f46fd63f51bdae0bda0bace80f2de86dc886ef2ba02e0a3c9a7a9c1b4940fa078f530cb5ec3c95300ff5033da223

Download Submit
C:\Users\Admin\AppData\Local\Temp\moapny.exe

Filesize
683KB

MD5
8d3b468cfa459a2be58a47f7c3041ad7

SHA1
f32757483c6f764621545a0d4378d59ad117f285

SHA256
f082fe9b4a7a906ddf63e633f9257c1947b8c25e9bf1f289cb857841830a0ad6

SHA512
b6a40bbf0497dae38adfd0a8a44872091dd2f46fd63f51bdae0bda0bace80f2de86dc886ef2ba02e0a3c9a7a9c1b4940fa078f530cb5ec3c95300ff5033da223

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyijbo.exe

Filesize
373KB

MD5
2dd360104aa62929f8103371d12bac72

SHA1
e76ced3d0a09de882ab3a9fceba4b1a5bd20b878

SHA256
bd502cac5e86d94233357c8ccc53659a9dd0591a5d34d2ddb98713e578a4a48c

SHA512
b289cd7aab0e9a8634c13508c91f5cba6a8d72a211daa8b5d9ac5f116d789e2f8fa586bbe998a0984ef9adb491a297042bb17287ae17a0f43d0a126a5ac7a868

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyijbo.exe

Filesize
373KB

MD5
2dd360104aa62929f8103371d12bac72

SHA1
e76ced3d0a09de882ab3a9fceba4b1a5bd20b878

SHA256
bd502cac5e86d94233357c8ccc53659a9dd0591a5d34d2ddb98713e578a4a48c

SHA512
b289cd7aab0e9a8634c13508c91f5cba6a8d72a211daa8b5d9ac5f116d789e2f8fa586bbe998a0984ef9adb491a297042bb17287ae17a0f43d0a126a5ac7a868

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp

Filesize
692KB

MD5
93a80d0a46b02303f53f63b542428324

SHA1
8eeb9edbd5edc4b5b40d9fbe66588e94cb3db0e5

SHA256
40402324ef8ba90b55bdcef5a51fbae7430197e7079a28878cb70037b5be4df0

SHA512
47f3b31f350bb107211f445f3016352610734b609870a238ba0e3d515145891dbc3e6de42534857e62bc15d2cde4d06e88eacc9bafa0759c314d90dbf09e0f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp

Filesize
692KB

MD5
93a80d0a46b02303f53f63b542428324

SHA1
8eeb9edbd5edc4b5b40d9fbe66588e94cb3db0e5

SHA256
40402324ef8ba90b55bdcef5a51fbae7430197e7079a28878cb70037b5be4df0

SHA512
47f3b31f350bb107211f445f3016352610734b609870a238ba0e3d515145891dbc3e6de42534857e62bc15d2cde4d06e88eacc9bafa0759c314d90dbf09e0f9b

Download Submit
memory/1332-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1332-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3892-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3892-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4936-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4936-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4944-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4944-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download