8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 07:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe
Size

629KB
MD5

43cb6f8a70d8c750fb6abda57ff0eb30
SHA1

96027176984248e7de1a225aa4642f02af85f3e7
SHA256

8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49
SHA512

44d35bfc4091072933ca0b706e9ce42a78bf5de011137cd17b96fa0b7da55be26dd4502043e298784945cb3fad02a7138e741b61d586003ab29dcebeaac8e39f
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4372	wypyzuc.exe
3544	~DFA224.tmp
4804	qesoquf.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA224.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe
4804	qesoquf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	~DFA224.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4372	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	79
PID 4624 wrote to memory of 4372	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	79
PID 4624 wrote to memory of 4372	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	79
PID 4372 wrote to memory of 3544	4372	wypyzuc.exe	80
PID 4372 wrote to memory of 3544	4372	wypyzuc.exe	80
PID 4372 wrote to memory of 3544	4372	wypyzuc.exe	80
PID 4624 wrote to memory of 1336	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	82
PID 4624 wrote to memory of 1336	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	82
PID 4624 wrote to memory of 1336	4624	8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe	82
PID 3544 wrote to memory of 4804	3544	~DFA224.tmp	89
PID 3544 wrote to memory of 4804	3544	~DFA224.tmp	89
PID 3544 wrote to memory of 4804	3544	~DFA224.tmp	89

C:\Users\Admin\AppData\Local\Temp\8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe
"C:\Users\Admin\AppData\Local\Temp\8a3d61edaf8ce5aecfe7bab839168765ae9284d87cb78f2c765497e0f2f1dc49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\wypyzuc.exe
  C:\Users\Admin\AppData\Local\Temp\wypyzuc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\qesoquf.exe
      "C:\Users\Admin\AppData\Local\Temp\qesoquf.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
83fae2f7d2ca5eec2e48e519e47d5dfa

SHA1
652955985ba5a05418cebb53698a2f11e6d7a5f0

SHA256
b9f4a008abb2b6940825602bdd67bdd4838839fe96db368e31a34f2af0e3a941

SHA512
10ecabf190855cb2b1675b0ddfc133140063f8b3f8e9ca664a4eb306a0ac1e435d0452d567c80a6d5ceab364b418480f327b32b5bf52aa0fdffb1346b66a587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e8b3d8c2795ebb4bb8e65c31f417703e

SHA1
cce26612ad9fabb87efa726b6c85014df9724686

SHA256
89d164871f327ec079bac13d8b21e2155e2a72ef9f31d5a2cf4e508327b8a0c5

SHA512
432b51dc29787853bcf953631fe34a3306ef148eecb6a03c045a09a0d031c4de5d71f44cceec9bcf0de2c5185f344f957d0a8858c019e882db6dd5843ac61709

Download Submit
C:\Users\Admin\AppData\Local\Temp\qesoquf.exe

Filesize
380KB

MD5
20bf26042df76c1b7c71df65ec7b47a8

SHA1
82e097a257fdecca50fb9cad3bacd29b53beaf0d

SHA256
9adb007c42f113b310cda8108de74c114fbbd96020cf86057d98b3873d756207

SHA512
897693df966c2f0d0fe167fd0d9fe95614b335518af7f50c390b5028beb710917b8bc6709d8dbb3aab0fe938bf40674f78ac1a4edf73e990a2243527b92ebd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\qesoquf.exe

Filesize
380KB

MD5
20bf26042df76c1b7c71df65ec7b47a8

SHA1
82e097a257fdecca50fb9cad3bacd29b53beaf0d

SHA256
9adb007c42f113b310cda8108de74c114fbbd96020cf86057d98b3873d756207

SHA512
897693df966c2f0d0fe167fd0d9fe95614b335518af7f50c390b5028beb710917b8bc6709d8dbb3aab0fe938bf40674f78ac1a4edf73e990a2243527b92ebd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\wypyzuc.exe

Filesize
636KB

MD5
ba86ff640be04cb2c3f812ace41f0516

SHA1
5e72a0d2562aec764ad28ddc39d26957b5e489ee

SHA256
b167fc3733a002183824bb56428ee8ad948df0cd367f713385ecde6c17a4e6c5

SHA512
cc496f54e464c97d2db647a8ca640bb3735f726c75af506d9790d883e50fbf7cf3384aada286e629b0d7186414213532f81210b7ed4a27f357b42a6a1aa06326

Download Submit
C:\Users\Admin\AppData\Local\Temp\wypyzuc.exe

Filesize
636KB

MD5
ba86ff640be04cb2c3f812ace41f0516

SHA1
5e72a0d2562aec764ad28ddc39d26957b5e489ee

SHA256
b167fc3733a002183824bb56428ee8ad948df0cd367f713385ecde6c17a4e6c5

SHA512
cc496f54e464c97d2db647a8ca640bb3735f726c75af506d9790d883e50fbf7cf3384aada286e629b0d7186414213532f81210b7ed4a27f357b42a6a1aa06326

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp

Filesize
644KB

MD5
9fec3d61d23bf8179afa83f05954ee94

SHA1
a633ca73b79f403b361de3f059cc189584a45f89

SHA256
53a2cf440a3ab5f403374b05da927b753e072f5ad60f035be0effe44bab1293d

SHA512
f983e8edc12a27bd1d050d04f6dab167b600d95fb2c863f088df0abf08a19643a8307f3363d1c4268d5e6c8701f6b91644607296bb638d3c73fd0f533454bc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp

Filesize
644KB

MD5
9fec3d61d23bf8179afa83f05954ee94

SHA1
a633ca73b79f403b361de3f059cc189584a45f89

SHA256
53a2cf440a3ab5f403374b05da927b753e072f5ad60f035be0effe44bab1293d

SHA512
f983e8edc12a27bd1d050d04f6dab167b600d95fb2c863f088df0abf08a19643a8307f3363d1c4268d5e6c8701f6b91644607296bb638d3c73fd0f533454bc6a

Download Submit
memory/3544-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3544-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4372-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4372-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4624-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4624-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4804-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4804-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download