a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711

Analysis

max time kernel
208s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe
Size

644KB
MD5

7142c798f0cfa3d6a66710776303f4d0
SHA1

07fc086b536c8b3004ef2029cfb63affc574eced
SHA256

a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711
SHA512

7bc3db5cc88f063799109bee57867cac7edeb257cb16af339dcd4f9e5912f6be71d32ac7378f0698aaa8a5557a790ad4f912662dff3f89fffbb4dd96b02c005f
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4936	fiduiva.exe
2012	~DFA25D.tmp
4348	guaxxob.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA25D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe
4348	guaxxob.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	~DFA25D.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4936	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	82
PID 4216 wrote to memory of 4936	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	82
PID 4216 wrote to memory of 4936	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	82
PID 4936 wrote to memory of 2012	4936	fiduiva.exe	83
PID 4936 wrote to memory of 2012	4936	fiduiva.exe	83
PID 4936 wrote to memory of 2012	4936	fiduiva.exe	83
PID 4216 wrote to memory of 3152	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	84
PID 4216 wrote to memory of 3152	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	84
PID 4216 wrote to memory of 3152	4216	a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe	84
PID 2012 wrote to memory of 4348	2012	~DFA25D.tmp	88
PID 2012 wrote to memory of 4348	2012	~DFA25D.tmp	88
PID 2012 wrote to memory of 4348	2012	~DFA25D.tmp	88

C:\Users\Admin\AppData\Local\Temp\a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe
"C:\Users\Admin\AppData\Local\Temp\a70de4e2ac76eea5caaabcef3c554f07df3e30bb2bb6ac66ef661567b739b711.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\fiduiva.exe
  C:\Users\Admin\AppData\Local\Temp\fiduiva.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\~DFA25D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA25D.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\guaxxob.exe
      "C:\Users\Admin\AppData\Local\Temp\guaxxob.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
8f812cf6a3400fa09e15a28c7b169b3a

SHA1
3bbf0763ad8e7687ec2f65beb94142955c6afe86

SHA256
3896b30f3109503946a3186b321a7533e01a20f9a4cdef935fe0857f891675f1

SHA512
ed3c7b4c8ebd1dfd0d1f716564305c1626832b308a4b165fee6ba1068b648350a794ae1a55afb835937e0f937cb2d2ef05d7deefd6d3e2327e56d343a4052b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiduiva.exe

Filesize
649KB

MD5
498a6cce484075a4bce0621013107baf

SHA1
5478aae2bf40a7f1745493e82c7e82e6bfeb66c6

SHA256
c730d3f4d23d50c6705059c9fb521602d4aaa58b4c95ee8eb691590b60e66ce1

SHA512
05418e1ae27cc9fda5c9d132b10728d5ff4e4c9cd986ef0673d908f4bd5505a550034cb8a8cd75347f0630b43c72d30e2f74968b98230df1e34986e603c8da95

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiduiva.exe

Filesize
649KB

MD5
498a6cce484075a4bce0621013107baf

SHA1
5478aae2bf40a7f1745493e82c7e82e6bfeb66c6

SHA256
c730d3f4d23d50c6705059c9fb521602d4aaa58b4c95ee8eb691590b60e66ce1

SHA512
05418e1ae27cc9fda5c9d132b10728d5ff4e4c9cd986ef0673d908f4bd5505a550034cb8a8cd75347f0630b43c72d30e2f74968b98230df1e34986e603c8da95

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
61b0c8cb596553c5e913467dba85b31f

SHA1
715e7c7cb7be2c0b2bba38153e4fb07839e31936

SHA256
6365336999043ba5ddf1d7a789ea948f0a1a36d4271ab568b50a5956e347b76b

SHA512
e808c27efdeaab4aaec32ced82247c2bbfd068091aeb0a9d2c84c58bf2a0ce391fe225d32978e6a338bb76f48aa66185e44a70545e79df36488ab5c19b905ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\guaxxob.exe

Filesize
374KB

MD5
9623322e844d5e927e42b94860bb6f64

SHA1
a270238a3da30ec0fe69cf2f5435425adf4b8588

SHA256
0860152c0e5d5f6545db9f07260c5d88c27d1f5040dd6333dc48af9b679ca259

SHA512
83cb01740274e938114ba266b63e6819ee819d79c21da11d58230d0b86c19296a7d5437122259694059f940136db6966c0d3c0807b80ca2e2c2be29988d7dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\guaxxob.exe

Filesize
374KB

MD5
9623322e844d5e927e42b94860bb6f64

SHA1
a270238a3da30ec0fe69cf2f5435425adf4b8588

SHA256
0860152c0e5d5f6545db9f07260c5d88c27d1f5040dd6333dc48af9b679ca259

SHA512
83cb01740274e938114ba266b63e6819ee819d79c21da11d58230d0b86c19296a7d5437122259694059f940136db6966c0d3c0807b80ca2e2c2be29988d7dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA25D.tmp

Filesize
654KB

MD5
746a5161fe7e98e4ec2d774a2e50ab2f

SHA1
7621457ea6e546e04c47da5777a103a42dc5cd9c

SHA256
4aff6801a6aa6f273f20bc284da93a9090e6e70f78a7891b0339d722d1800006

SHA512
c6d19547d437823b6a9904bfcab3d6be85ce8c138e35795e4924c7f6d16786d63b0ff7d7e0fd484fa3382db0f2a593e3f940ac8ade95fd7dc50365cfe562ae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA25D.tmp

Filesize
654KB

MD5
746a5161fe7e98e4ec2d774a2e50ab2f

SHA1
7621457ea6e546e04c47da5777a103a42dc5cd9c

SHA256
4aff6801a6aa6f273f20bc284da93a9090e6e70f78a7891b0339d722d1800006

SHA512
c6d19547d437823b6a9904bfcab3d6be85ce8c138e35795e4924c7f6d16786d63b0ff7d7e0fd484fa3382db0f2a593e3f940ac8ade95fd7dc50365cfe562ae9a

Download Submit
memory/2012-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4216-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4216-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4348-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4348-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4936-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4936-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download