effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658

Analysis

max time kernel
153s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
Size

648KB
MD5

a069d7bf37f77e2f29243cad9a481db0
SHA1

c67c18b9e200146572a0f923b3cc1fe0c1a8d53f
SHA256

effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658
SHA512

6beb78f47e8ee6b4d07fc9a3e92078dce6cd78a4dfd92c46d96d56906cbdedf1dddd24d5f8dc8ebdfc0dd84bfdf578ddb81955468395e1b570b6f96073da2d64
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5016	atgok.exe
4900	~DFA241.tmp
5028	fudur.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA241.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe
5028	fudur.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	~DFA241.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 5016	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	81
PID 312 wrote to memory of 5016	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	81
PID 312 wrote to memory of 5016	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	81
PID 5016 wrote to memory of 4900	5016	atgok.exe	82
PID 5016 wrote to memory of 4900	5016	atgok.exe	82
PID 5016 wrote to memory of 4900	5016	atgok.exe	82
PID 312 wrote to memory of 368	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	83
PID 312 wrote to memory of 368	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	83
PID 312 wrote to memory of 368	312	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	83
PID 4900 wrote to memory of 5028	4900	~DFA241.tmp	93
PID 4900 wrote to memory of 5028	4900	~DFA241.tmp	93
PID 4900 wrote to memory of 5028	4900	~DFA241.tmp	93

C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
"C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Local\Temp\atgok.exe
  C:\Users\Admin\AppData\Local\Temp\atgok.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\fudur.exe
      "C:\Users\Admin\AppData\Local\Temp\fudur.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a603eae6eda0725cd90dc7b16ad56742

SHA1
e2c427ac4d2c4e9077c2fe135971ae4ef22ffb22

SHA256
1b4037e601043eca8b7a16f2dbeb494d80bf08257708c3ab3277e1a126e5ab72

SHA512
3cc35903fa993469beafb0e6e8dc2cd073710d323cba6298f7cc2f0d078de52d54a6e9504966c3c1f8daa32a90fb03a5649f1f7f956bd46c84f2b21d81536259

Download Submit
C:\Users\Admin\AppData\Local\Temp\atgok.exe

Filesize
654KB

MD5
73797fd8a2877be268ef6d1c7072d9f6

SHA1
065b1c421cd3970f0b0ad59ce8030214670e84d3

SHA256
be34663ae6d2c4fa5b6860514abbe01cc4013d4c5072b028d51a18109e60063c

SHA512
0c1ef047f22645f8c44609753ac716c54bfe48de112960a51c26478f92456aa0876ae66dd0e3da7b2f998bfef45634fa414e0c346a7284e9c67c622963f980be

Download Submit
C:\Users\Admin\AppData\Local\Temp\atgok.exe

Filesize
654KB

MD5
73797fd8a2877be268ef6d1c7072d9f6

SHA1
065b1c421cd3970f0b0ad59ce8030214670e84d3

SHA256
be34663ae6d2c4fa5b6860514abbe01cc4013d4c5072b028d51a18109e60063c

SHA512
0c1ef047f22645f8c44609753ac716c54bfe48de112960a51c26478f92456aa0876ae66dd0e3da7b2f998bfef45634fa414e0c346a7284e9c67c622963f980be

Download Submit
C:\Users\Admin\AppData\Local\Temp\fudur.exe

Filesize
388KB

MD5
402c172d48d96f318160bd04689e49c7

SHA1
488f8e6743844a13b3864dcd41472549527a4254

SHA256
dbfa992e28ef4655c7accc137c9072aa3315ddf61864f398a4d0aa84aa69c5a4

SHA512
67b2ce7d3fe35b309319c796ade3420e279c903e429a8ae7d7b927497586544fc0ab74862ae33e6c3bc8d74948fa9c1945b5af4d530ba6ea2a1a91adc7fc9a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fudur.exe

Filesize
388KB

MD5
402c172d48d96f318160bd04689e49c7

SHA1
488f8e6743844a13b3864dcd41472549527a4254

SHA256
dbfa992e28ef4655c7accc137c9072aa3315ddf61864f398a4d0aa84aa69c5a4

SHA512
67b2ce7d3fe35b309319c796ade3420e279c903e429a8ae7d7b927497586544fc0ab74862ae33e6c3bc8d74948fa9c1945b5af4d530ba6ea2a1a91adc7fc9a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a355d3bc2c4a072515d900b407641903

SHA1
b9a39b83a6337faa5db07063f18900a521d71442

SHA256
ca7c3f5849c4c9644b287f7ebdc08c3e8aacda19cbb7eb5cc78c1184c0b6d5dd

SHA512
b5be45bbfc7402c3f3659c696f9be32affa9bbfc55045cfbd709d36fbe228660826c6e86c6d6fa403fe8d14e9295f954b696e6b3e344fdcaa6d9921fdca6ce06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp

Filesize
661KB

MD5
ac2748d85344b21ee78ad832cebc3f86

SHA1
ff5d309886884fdabb86588927d763135f0ba3a9

SHA256
519963c7e3e1f3dabfc554c0814bbdbfc2e3a260a63e484f6e7f2bd2166cc594

SHA512
53569ae519dbf7bc26545096260da77703f22c5b1d8444d9101c4e6c069751da5de4ba6d7f8a2f589018705ba58a176adc971eec2fcc1483c834156de9c3adc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp

Filesize
661KB

MD5
ac2748d85344b21ee78ad832cebc3f86

SHA1
ff5d309886884fdabb86588927d763135f0ba3a9

SHA256
519963c7e3e1f3dabfc554c0814bbdbfc2e3a260a63e484f6e7f2bd2166cc594

SHA512
53569ae519dbf7bc26545096260da77703f22c5b1d8444d9101c4e6c069751da5de4ba6d7f8a2f589018705ba58a176adc971eec2fcc1483c834156de9c3adc7

Download Submit
memory/312-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/312-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4900-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5016-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5016-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5028-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5028-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download