a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94

Analysis

max time kernel
164s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
Size

658KB
MD5

732d5b5bdbcb7e6e110f19b42a31c3c0
SHA1

e720df01778e30627609fbb4cebcc3d7f3b1b9af
SHA256

a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94
SHA512

85eb27e02d8d1e766ec71735e62f73d4ee5005e824df26a30aea4b972fc048970457ff16d22873dbd35d5ce7973f90cac4b723ca975a558ee489446c1be22edb
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3864	ejqumen.exe
3224	~DFA271.tmp
1480	azjenen.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA271.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe
1480	azjenen.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	~DFA271.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3864	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	81
PID 3784 wrote to memory of 3864	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	81
PID 3784 wrote to memory of 3864	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	81
PID 3864 wrote to memory of 3224	3864	ejqumen.exe	82
PID 3864 wrote to memory of 3224	3864	ejqumen.exe	82
PID 3864 wrote to memory of 3224	3864	ejqumen.exe	82
PID 3784 wrote to memory of 4092	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	83
PID 3784 wrote to memory of 4092	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	83
PID 3784 wrote to memory of 4092	3784	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	83
PID 3224 wrote to memory of 1480	3224	~DFA271.tmp	93
PID 3224 wrote to memory of 1480	3224	~DFA271.tmp	93
PID 3224 wrote to memory of 1480	3224	~DFA271.tmp	93

C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
"C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\ejqumen.exe
  C:\Users\Admin\AppData\Local\Temp\ejqumen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\~DFA271.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA271.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\azjenen.exe
      "C:\Users\Admin\AppData\Local\Temp\azjenen.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c086a86709433d9ddb23931d92c3ddb9

SHA1
b97dd35218acb36479ef17753d218b1c2962c65c

SHA256
635a102e986eb8845241a2a4585f8de3ad3358727d8b0b5dea4fefc0a42db522

SHA512
eef9e346e1120163709d2abc91338179972c0b312e7c3548a45fe4b7dc364263a0808a6282b217fcad83a6f571c7a401c753d629b49a850833149f8d8d92836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\azjenen.exe

Filesize
410KB

MD5
3b14b306d73761b6b259f391ecb5c219

SHA1
0fa905a73d442431a140e76920c1a63edcd6fa0f

SHA256
8cd78539d1e7af0fbb026cb40e94b020530b66afb559f5c15abb454a91d067fd

SHA512
f161c9cfaa5f7f0539681ee3e29bf9171ce710e3dbf8687db0a068880aa243d925a0eebdb0512a93c251b4dae380d6a68ad5cdfbe40f46de5665e8c4c442860e

Download Submit
C:\Users\Admin\AppData\Local\Temp\azjenen.exe

Filesize
410KB

MD5
3b14b306d73761b6b259f391ecb5c219

SHA1
0fa905a73d442431a140e76920c1a63edcd6fa0f

SHA256
8cd78539d1e7af0fbb026cb40e94b020530b66afb559f5c15abb454a91d067fd

SHA512
f161c9cfaa5f7f0539681ee3e29bf9171ce710e3dbf8687db0a068880aa243d925a0eebdb0512a93c251b4dae380d6a68ad5cdfbe40f46de5665e8c4c442860e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejqumen.exe

Filesize
663KB

MD5
90188717ff25066b12e56805b766fba8

SHA1
e9ed3570a2df22261cab8e466e60baab02881407

SHA256
bfbc157656b2bf3773de6212faffc139d69ebfc66ba79155c25dd144048f64c3

SHA512
d8eae7a2ea1f2bfd3808e49214a9df1c70f92aa5d0d729f59bf791097fc9a8df2d6bedb3661c07771f7967c38a206b3f83c2509305e5c498e7b5eaf539e37c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejqumen.exe

Filesize
663KB

MD5
90188717ff25066b12e56805b766fba8

SHA1
e9ed3570a2df22261cab8e466e60baab02881407

SHA256
bfbc157656b2bf3773de6212faffc139d69ebfc66ba79155c25dd144048f64c3

SHA512
d8eae7a2ea1f2bfd3808e49214a9df1c70f92aa5d0d729f59bf791097fc9a8df2d6bedb3661c07771f7967c38a206b3f83c2509305e5c498e7b5eaf539e37c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b21f54c0e7f610a797743213417ae2a7

SHA1
7fdfb7ca440a740433cccc1cb6232af7a8861d7f

SHA256
69f56bd5bdbc5d4bd8a52fcdb05be5354bbc6bdd53126de5d084ab5868114f65

SHA512
eb2be5d7890b1e44b35a10bbebb7636611fcc50aa6bcd21218d7a013c8f46ffa374f34cb27163eb660fbe91c069439cc89d116d494d495748812d8abce9b6158

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA271.tmp

Filesize
669KB

MD5
385ef530fbc1db7c6a23af48d695d649

SHA1
5a0aa12bf2f7eb847a2bae84ec897c20a389e7a0

SHA256
87ed985598c540668afd1fa97937fdd69a9b4c1f6df2fafb6e2c9fa9bc6566fa

SHA512
d7236d1007e8654e826480a213ca8d19a8dfd2d34b77969585392e665eaf09796c1ca0cc7a3367513f8bcfc4f549aa0eeef43ef0a4ee9dc6d31e21f7114e101b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA271.tmp

Filesize
669KB

MD5
385ef530fbc1db7c6a23af48d695d649

SHA1
5a0aa12bf2f7eb847a2bae84ec897c20a389e7a0

SHA256
87ed985598c540668afd1fa97937fdd69a9b4c1f6df2fafb6e2c9fa9bc6566fa

SHA512
d7236d1007e8654e826480a213ca8d19a8dfd2d34b77969585392e665eaf09796c1ca0cc7a3367513f8bcfc4f549aa0eeef43ef0a4ee9dc6d31e21f7114e101b

Download Submit
memory/1480-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1480-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3224-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3784-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3784-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3864-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3864-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download