Analysis
-
max time kernel
164s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
Resource
win10v2004-20220812-en
General
-
Target
a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
-
Size
658KB
-
MD5
732d5b5bdbcb7e6e110f19b42a31c3c0
-
SHA1
e720df01778e30627609fbb4cebcc3d7f3b1b9af
-
SHA256
a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94
-
SHA512
85eb27e02d8d1e766ec71735e62f73d4ee5005e824df26a30aea4b972fc048970457ff16d22873dbd35d5ce7973f90cac4b723ca975a558ee489446c1be22edb
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3864 ejqumen.exe 3224 ~DFA271.tmp 1480 azjenen.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ~DFA271.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe 1480 azjenen.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3224 ~DFA271.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3784 wrote to memory of 3864 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 81 PID 3784 wrote to memory of 3864 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 81 PID 3784 wrote to memory of 3864 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 81 PID 3864 wrote to memory of 3224 3864 ejqumen.exe 82 PID 3864 wrote to memory of 3224 3864 ejqumen.exe 82 PID 3864 wrote to memory of 3224 3864 ejqumen.exe 82 PID 3784 wrote to memory of 4092 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 83 PID 3784 wrote to memory of 4092 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 83 PID 3784 wrote to memory of 4092 3784 a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe 83 PID 3224 wrote to memory of 1480 3224 ~DFA271.tmp 93 PID 3224 wrote to memory of 1480 3224 ~DFA271.tmp 93 PID 3224 wrote to memory of 1480 3224 ~DFA271.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe"C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\ejqumen.exeC:\Users\Admin\AppData\Local\Temp\ejqumen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\~DFA271.tmpC:\Users\Admin\AppData\Local\Temp\~DFA271.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\azjenen.exe"C:\Users\Admin\AppData\Local\Temp\azjenen.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:4092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5c086a86709433d9ddb23931d92c3ddb9
SHA1b97dd35218acb36479ef17753d218b1c2962c65c
SHA256635a102e986eb8845241a2a4585f8de3ad3358727d8b0b5dea4fefc0a42db522
SHA512eef9e346e1120163709d2abc91338179972c0b312e7c3548a45fe4b7dc364263a0808a6282b217fcad83a6f571c7a401c753d629b49a850833149f8d8d92836c
-
Filesize
410KB
MD53b14b306d73761b6b259f391ecb5c219
SHA10fa905a73d442431a140e76920c1a63edcd6fa0f
SHA2568cd78539d1e7af0fbb026cb40e94b020530b66afb559f5c15abb454a91d067fd
SHA512f161c9cfaa5f7f0539681ee3e29bf9171ce710e3dbf8687db0a068880aa243d925a0eebdb0512a93c251b4dae380d6a68ad5cdfbe40f46de5665e8c4c442860e
-
Filesize
410KB
MD53b14b306d73761b6b259f391ecb5c219
SHA10fa905a73d442431a140e76920c1a63edcd6fa0f
SHA2568cd78539d1e7af0fbb026cb40e94b020530b66afb559f5c15abb454a91d067fd
SHA512f161c9cfaa5f7f0539681ee3e29bf9171ce710e3dbf8687db0a068880aa243d925a0eebdb0512a93c251b4dae380d6a68ad5cdfbe40f46de5665e8c4c442860e
-
Filesize
663KB
MD590188717ff25066b12e56805b766fba8
SHA1e9ed3570a2df22261cab8e466e60baab02881407
SHA256bfbc157656b2bf3773de6212faffc139d69ebfc66ba79155c25dd144048f64c3
SHA512d8eae7a2ea1f2bfd3808e49214a9df1c70f92aa5d0d729f59bf791097fc9a8df2d6bedb3661c07771f7967c38a206b3f83c2509305e5c498e7b5eaf539e37c9d
-
Filesize
663KB
MD590188717ff25066b12e56805b766fba8
SHA1e9ed3570a2df22261cab8e466e60baab02881407
SHA256bfbc157656b2bf3773de6212faffc139d69ebfc66ba79155c25dd144048f64c3
SHA512d8eae7a2ea1f2bfd3808e49214a9df1c70f92aa5d0d729f59bf791097fc9a8df2d6bedb3661c07771f7967c38a206b3f83c2509305e5c498e7b5eaf539e37c9d
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5b21f54c0e7f610a797743213417ae2a7
SHA17fdfb7ca440a740433cccc1cb6232af7a8861d7f
SHA25669f56bd5bdbc5d4bd8a52fcdb05be5354bbc6bdd53126de5d084ab5868114f65
SHA512eb2be5d7890b1e44b35a10bbebb7636611fcc50aa6bcd21218d7a013c8f46ffa374f34cb27163eb660fbe91c069439cc89d116d494d495748812d8abce9b6158
-
Filesize
669KB
MD5385ef530fbc1db7c6a23af48d695d649
SHA15a0aa12bf2f7eb847a2bae84ec897c20a389e7a0
SHA25687ed985598c540668afd1fa97937fdd69a9b4c1f6df2fafb6e2c9fa9bc6566fa
SHA512d7236d1007e8654e826480a213ca8d19a8dfd2d34b77969585392e665eaf09796c1ca0cc7a3367513f8bcfc4f549aa0eeef43ef0a4ee9dc6d31e21f7114e101b
-
Filesize
669KB
MD5385ef530fbc1db7c6a23af48d695d649
SHA15a0aa12bf2f7eb847a2bae84ec897c20a389e7a0
SHA25687ed985598c540668afd1fa97937fdd69a9b4c1f6df2fafb6e2c9fa9bc6566fa
SHA512d7236d1007e8654e826480a213ca8d19a8dfd2d34b77969585392e665eaf09796c1ca0cc7a3367513f8bcfc4f549aa0eeef43ef0a4ee9dc6d31e21f7114e101b