8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe
Size

647KB
MD5

78d719aa89ca1c78346ab44644abd6e0
SHA1

2cf301302b8bf79da9e9123b50ea4a091fd5cc57
SHA256

8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78
SHA512

12505791814d0f5d720aec61936667aefec641bbddc12e9d9ddfa34984d45d9008f5a594f97672a22d0a57c0a4324e10ca04cab5ded3e8c6e396cbd6e9c434cf
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4576	nehubih.exe
5044	~DFA24A.tmp
3828	xoektyh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA24A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe
3828	xoektyh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	~DFA24A.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 4576	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	80
PID 2296 wrote to memory of 4576	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	80
PID 2296 wrote to memory of 4576	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	80
PID 4576 wrote to memory of 5044	4576	nehubih.exe	81
PID 4576 wrote to memory of 5044	4576	nehubih.exe	81
PID 4576 wrote to memory of 5044	4576	nehubih.exe	81
PID 2296 wrote to memory of 4904	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	82
PID 2296 wrote to memory of 4904	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	82
PID 2296 wrote to memory of 4904	2296	8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe	82
PID 5044 wrote to memory of 3828	5044	~DFA24A.tmp	92
PID 5044 wrote to memory of 3828	5044	~DFA24A.tmp	92
PID 5044 wrote to memory of 3828	5044	~DFA24A.tmp	92

C:\Users\Admin\AppData\Local\Temp\8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe
"C:\Users\Admin\AppData\Local\Temp\8f0477e0ddf2fa29149ffe6264e6edce24e680cd6561ef2e3101393908ac6f78.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\nehubih.exe
  C:\Users\Admin\AppData\Local\Temp\nehubih.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\xoektyh.exe
      "C:\Users\Admin\AppData\Local\Temp\xoektyh.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7fc8ed2df48f30a8336c5b02ca655d94

SHA1
a2169d335975b96dc9b1376233e68d26bd4fe4ab

SHA256
9b8d83b38bfe81dc9fc41911662b5335f07bdb8f2b8fec4f3b526f24fe30d539

SHA512
8a12ff3dacae8b955cb7555a05d1dbd685c9cfb5b142cfd36dcc912cb74ffd2b664cef3c7bdaa4760d49f5ca7485a69e0312e65e35cad75d66eab4a531017273

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
8b6a736344faffd585f531d5d943c7f2

SHA1
f3fae190ec55149d3817bdbe44d79af606494343

SHA256
dda293d589f4e71430c288e847ac33178e6a2e3000e987aa8ad4cea4ef1ff071

SHA512
75a0352d09d623121ba126cdbf86b37a83b24cc3710b6d2efcd9b52d9d3d8b236262776d6001fe0abda7e28a12e14a60a2816cefbfbb024c7827e84e075a68df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nehubih.exe

Filesize
652KB

MD5
9f3c0bf28a632a0c0eb1b12cca34379c

SHA1
dc1de1c5ef29f7e5d9fbecb9a7a6a244098cc848

SHA256
ac40a920e80d89992ef7d7e265654186e8ae6831b19d1374bca0b47d40be0b9b

SHA512
1dd6d17714a5ed020f434479fefd76156edae19829e575356c007171bc611ac84188125a888c4302f952beab3964a5476963abd0a1c51baa6d3e0008d35b76bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nehubih.exe

Filesize
652KB

MD5
9f3c0bf28a632a0c0eb1b12cca34379c

SHA1
dc1de1c5ef29f7e5d9fbecb9a7a6a244098cc848

SHA256
ac40a920e80d89992ef7d7e265654186e8ae6831b19d1374bca0b47d40be0b9b

SHA512
1dd6d17714a5ed020f434479fefd76156edae19829e575356c007171bc611ac84188125a888c4302f952beab3964a5476963abd0a1c51baa6d3e0008d35b76bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoektyh.exe

Filesize
417KB

MD5
f1cb41cef8c48e4feeb7593ffc078045

SHA1
c4cadc5dc4a480e2f937a64e80bcf2d57d5178d5

SHA256
bbfdf9a87ed75dfc9559a72ef9fa1876e66ae45b81352aa47e0980e642bc3261

SHA512
5b65359b6e12b51ef4f662faa3013265348b74a9bf1f014542a23714056aa01ef8699833428f1510c5d2781717b27a16931ca91749ab2153e25fad2c2a910123

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoektyh.exe

Filesize
417KB

MD5
f1cb41cef8c48e4feeb7593ffc078045

SHA1
c4cadc5dc4a480e2f937a64e80bcf2d57d5178d5

SHA256
bbfdf9a87ed75dfc9559a72ef9fa1876e66ae45b81352aa47e0980e642bc3261

SHA512
5b65359b6e12b51ef4f662faa3013265348b74a9bf1f014542a23714056aa01ef8699833428f1510c5d2781717b27a16931ca91749ab2153e25fad2c2a910123

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp

Filesize
658KB

MD5
1d16e404419e63731a0859a82ed4098c

SHA1
551b83fdfb2af0274e347e96bed2dc96681c2720

SHA256
7ef636035c9e26529c364a706e8d516bd36f6f2cf9e8e4c5fa10c32a77c7861f

SHA512
a0e95448f72d0df9d912ebef995eb31641d2a6aa5f725370646545ea9ba8226338cc5aa6ee5b38a5e339c87abb40341625163e492c9cda7d5be4c3213caebc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp

Filesize
658KB

MD5
1d16e404419e63731a0859a82ed4098c

SHA1
551b83fdfb2af0274e347e96bed2dc96681c2720

SHA256
7ef636035c9e26529c364a706e8d516bd36f6f2cf9e8e4c5fa10c32a77c7861f

SHA512
a0e95448f72d0df9d912ebef995eb31641d2a6aa5f725370646545ea9ba8226338cc5aa6ee5b38a5e339c87abb40341625163e492c9cda7d5be4c3213caebc08

Download Submit
memory/2296-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2296-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3828-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3828-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4576-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4576-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download