97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604

Analysis

max time kernel
153s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
Size

643KB
MD5

7740641a27d787b3930ba942b9b88680
SHA1

b34365de71add287e5c4d2d598aa45c5f2bd9110
SHA256

97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604
SHA512

ac07915dd62968c50cd2ebbb516c6a89616c9b00bbe5af99b6800cb785e61ae36d361ffdbb8ec976a920eca014a8d5173447c2475032f3d81554e554314874e7
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
548	zoafaep.exe
1616	~DFA248.tmp
3788	uspebep.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA248.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe
3788	uspebep.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	~DFA248.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 548	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	82
PID 2104 wrote to memory of 548	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	82
PID 2104 wrote to memory of 548	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	82
PID 548 wrote to memory of 1616	548	zoafaep.exe	83
PID 548 wrote to memory of 1616	548	zoafaep.exe	83
PID 548 wrote to memory of 1616	548	zoafaep.exe	83
PID 2104 wrote to memory of 2300	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	84
PID 2104 wrote to memory of 2300	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	84
PID 2104 wrote to memory of 2300	2104	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	84
PID 1616 wrote to memory of 3788	1616	~DFA248.tmp	94
PID 1616 wrote to memory of 3788	1616	~DFA248.tmp	94
PID 1616 wrote to memory of 3788	1616	~DFA248.tmp	94

C:\Users\Admin\AppData\Local\Temp\97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
"C:\Users\Admin\AppData\Local\Temp\97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\zoafaep.exe
  C:\Users\Admin\AppData\Local\Temp\zoafaep.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\uspebep.exe
      "C:\Users\Admin\AppData\Local\Temp\uspebep.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
2e03b3b3cade82a5bf82038228c5ff88

SHA1
df7c1e4441d7632f47eafec74a0e8bb4bd6c021f

SHA256
a4ff0909efc46f2e9475b3a26d493b0321bccf4292bd56e110b6d27f70b09354

SHA512
36dd3e2abcd7f2b3a3a7f2f95a10cd53453d064e9c6b4861a139b45c1f1cc8b837be20ab0bf66b9600a1929f9918307e1a030c8ba2535575685ce8fa1a0fcdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b7fa8426cd43362f893bbbf0e340c929

SHA1
6bc4fe3396e4e1b16b47a27ea85a106ead32780c

SHA256
a36ecc2ddf9c91f9ac12cbeec361236f8bfe7c7a9ee2b2aea453869076a34a94

SHA512
4190da6954f0fd26d16c6f2df0cebf18fb8ea82c5fd362db809e64b2a47894cd1ae82f63a8368b85196f31ced3a19f9a8b2738703025ddb9d53c9b2e65b2b8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uspebep.exe

Filesize
397KB

MD5
f0de0e6581feecf526b69ef4f102ecf7

SHA1
1d659a9b311a480935299b59311883dc83204b64

SHA256
79a4bd0cdd90b1623f13e17fbe1146a08e556daa6fe710fd664a13c6992ab2ed

SHA512
e58ba68eef8555e1abfa33d6e0b267c8cdecf9083699a2380a1aa9941d3e1a7673e1dd776991744eda8f2cd17ae667a576284776485aeef910d8b475e35bfad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uspebep.exe

Filesize
397KB

MD5
f0de0e6581feecf526b69ef4f102ecf7

SHA1
1d659a9b311a480935299b59311883dc83204b64

SHA256
79a4bd0cdd90b1623f13e17fbe1146a08e556daa6fe710fd664a13c6992ab2ed

SHA512
e58ba68eef8555e1abfa33d6e0b267c8cdecf9083699a2380a1aa9941d3e1a7673e1dd776991744eda8f2cd17ae667a576284776485aeef910d8b475e35bfad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoafaep.exe

Filesize
646KB

MD5
76d3613fcb2e7e945d2918e5897f10e9

SHA1
1f7bd411d0aab1bac9cca60b623ecec08071d839

SHA256
e50698e9fe4fb5cad3b4bc72994788b3fe4a11095b5f1e3c17e047cc8afa4fcb

SHA512
7b5320323c79c64ea09625f5e0390acf619e19fc7ac0b1edc18c596ed9200d709a5dd9fbb8f5bcdec6c1d2f1df9087d48c53b40a401a3720b3a21c6a9d25fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoafaep.exe

Filesize
646KB

MD5
76d3613fcb2e7e945d2918e5897f10e9

SHA1
1f7bd411d0aab1bac9cca60b623ecec08071d839

SHA256
e50698e9fe4fb5cad3b4bc72994788b3fe4a11095b5f1e3c17e047cc8afa4fcb

SHA512
7b5320323c79c64ea09625f5e0390acf619e19fc7ac0b1edc18c596ed9200d709a5dd9fbb8f5bcdec6c1d2f1df9087d48c53b40a401a3720b3a21c6a9d25fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
650KB

MD5
f62ee2610f95453798c1280c9e37d283

SHA1
d8f23d79956b685afd4d62867606c7b37bada1e0

SHA256
f6c5c78a519a348ecead577901645cc24e661c49b8e28fa04d188d1c7985df12

SHA512
73e0e91ae9bc041d70b13e1ddfc2efe7c9226f92c58ddc8f94de615ebfbc713e86d9bd42429fefa6426df19adb9e803837fb0e1ff8f7f4906ca84dcd64f3e659

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmp

Filesize
650KB

MD5
f62ee2610f95453798c1280c9e37d283

SHA1
d8f23d79956b685afd4d62867606c7b37bada1e0

SHA256
f6c5c78a519a348ecead577901645cc24e661c49b8e28fa04d188d1c7985df12

SHA512
73e0e91ae9bc041d70b13e1ddfc2efe7c9226f92c58ddc8f94de615ebfbc713e86d9bd42429fefa6426df19adb9e803837fb0e1ff8f7f4906ca84dcd64f3e659

Download Submit
memory/548-133-0x0000000000000000-mapping.dmp

Download
memory/548-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/548-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1616-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1616-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1616-138-0x0000000000000000-mapping.dmp

Download
memory/2104-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2104-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2104-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2300-144-0x0000000000000000-mapping.dmp

Download
memory/3788-148-0x0000000000000000-mapping.dmp

Download
memory/3788-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3788-153-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download