69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
Size

609KB
MD5

75a31ef65ce6a5f3a94aa9c320ead980
SHA1

ed30fd043b97cbdf916d60c897099a96bcb0e644
SHA256

69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6
SHA512

6036448b36d9a9342699e3a53b823104e0668f98ef1b9631bcb52aa445d8e188b831612490da59d2e47cceda20afecae69150598aca8f464c7c47b23b77ca8b4
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5044	qufeihe.exe
4932	~DFA242.tmp
2008	ogjepoe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA242.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe
2008	ogjepoe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	~DFA242.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 5044	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	80
PID 2568 wrote to memory of 5044	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	80
PID 2568 wrote to memory of 5044	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	80
PID 5044 wrote to memory of 4932	5044	qufeihe.exe	81
PID 5044 wrote to memory of 4932	5044	qufeihe.exe	81
PID 5044 wrote to memory of 4932	5044	qufeihe.exe	81
PID 2568 wrote to memory of 1260	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	82
PID 2568 wrote to memory of 1260	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	82
PID 2568 wrote to memory of 1260	2568	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	82
PID 4932 wrote to memory of 2008	4932	~DFA242.tmp	92
PID 4932 wrote to memory of 2008	4932	~DFA242.tmp	92
PID 4932 wrote to memory of 2008	4932	~DFA242.tmp	92

C:\Users\Admin\AppData\Local\Temp\69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
"C:\Users\Admin\AppData\Local\Temp\69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\qufeihe.exe
  C:\Users\Admin\AppData\Local\Temp\qufeihe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\ogjepoe.exe
      "C:\Users\Admin\AppData\Local\Temp\ogjepoe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
75f6c935639639c8cab1e6b4f2493ab8

SHA1
e04780b1268c010c9fd517765847a6fad8ec986c

SHA256
645a856e478e5e448565208403f10f2bb0919844854a6088e14a1b2a834c4ff0

SHA512
7ada63ca2781db3ae5ec26a4a67bf3b2a3430bcc7a9f7415629c607fb07c93f8c4a75f78e685b60f6ccc8c60066700bb2732105cbee32d06a5e6fdfd64d4058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
01dc874e3285f76652511d38b4ae365f

SHA1
0ac975e459c3bbe1c88bcf60d12b2aa971b48c78

SHA256
5e144e3abc68d8e7a6f4dca90ce855f6593f40c0fdf2fbe215bcf15ba1dfb6e5

SHA512
9e8b295eba0762b9ff909b59b6d114ce033e6b5483aa0ab2512a518121ad0785e9ca431996cfc57922807b0b2cff22ce66c17a8b02dd4a3619ff8a64698185d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogjepoe.exe

Filesize
374KB

MD5
dcd83a78c05298e375ecbcbfc374fbfb

SHA1
44ca79f56e087c313d628f7dbcc686f6707799a1

SHA256
0460a5a378c21792010cd14e73eebd4bbf61d9fcbd01245b5e5f46e469404f0e

SHA512
8ab91ff292582f02bb3a580e66f79987bd9de40439c840503006898af347ba9d68a6e16dbe0630b32a81e2c4cbcba33bff9beaa8ad19714d9c3728739cfa14cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogjepoe.exe

Filesize
374KB

MD5
dcd83a78c05298e375ecbcbfc374fbfb

SHA1
44ca79f56e087c313d628f7dbcc686f6707799a1

SHA256
0460a5a378c21792010cd14e73eebd4bbf61d9fcbd01245b5e5f46e469404f0e

SHA512
8ab91ff292582f02bb3a580e66f79987bd9de40439c840503006898af347ba9d68a6e16dbe0630b32a81e2c4cbcba33bff9beaa8ad19714d9c3728739cfa14cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qufeihe.exe

Filesize
616KB

MD5
b5a5d0ea91ce7545dd8a4d3e6781f1ca

SHA1
fbc9f2e422274efbe7ea05c273a36ab4aa85d965

SHA256
ea2491f1777395ea398bb30e5b2e016d54beebf85fe081e6986cf84d10617279

SHA512
d8f2eb11a51c03d27ac1ec7e7dea8836650f0d849b4d6edf88b9429507f94a46536c35bd0f29d084fdf5b4542ae53802005fcd4db222408819d9828f2759d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\qufeihe.exe

Filesize
616KB

MD5
b5a5d0ea91ce7545dd8a4d3e6781f1ca

SHA1
fbc9f2e422274efbe7ea05c273a36ab4aa85d965

SHA256
ea2491f1777395ea398bb30e5b2e016d54beebf85fe081e6986cf84d10617279

SHA512
d8f2eb11a51c03d27ac1ec7e7dea8836650f0d849b4d6edf88b9429507f94a46536c35bd0f29d084fdf5b4542ae53802005fcd4db222408819d9828f2759d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp

Filesize
624KB

MD5
0029d1a6acbcb35c85d6ab14bbcfd27a

SHA1
41b71d4aebc91eb51ae3337adbc106b1ccb44861

SHA256
839610997a330d5c5f6d60fb64d3c9f7eff7c020986cb28f9c8feb4385697562

SHA512
d0cdf549ada764817d2a38135292d161af34160ff927ab48ec58e6004b9ac037ba8cbf66c7c8c971af204eba571dc0d6f65b230e288b5d0fcf420de6a2d7d508

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp

Filesize
624KB

MD5
0029d1a6acbcb35c85d6ab14bbcfd27a

SHA1
41b71d4aebc91eb51ae3337adbc106b1ccb44861

SHA256
839610997a330d5c5f6d60fb64d3c9f7eff7c020986cb28f9c8feb4385697562

SHA512
d0cdf549ada764817d2a38135292d161af34160ff927ab48ec58e6004b9ac037ba8cbf66c7c8c971af204eba571dc0d6f65b230e288b5d0fcf420de6a2d7d508

Download Submit
memory/2008-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2008-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2568-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2568-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4932-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download