6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622

Analysis

max time kernel
176s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe
Size

681KB
MD5

841c6b131346ee43d0c530d73c679b20
SHA1

83073d49f902f1e662caf18bde111a4880df33e9
SHA256

6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622
SHA512

4be450629b6d7f293b6db59efae20a67f36109e9a98d6a16f40a5be284c72102c38651b4641cbe6bc58cde3bce383c9bd42f2d4b770804c5083f52dc8e42bc46
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1792	kiovtiu.exe
4184	~DFA240.tmp
788	qibyam.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA240.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe
788	qibyam.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	~DFA240.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1792	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	81
PID 4176 wrote to memory of 1792	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	81
PID 4176 wrote to memory of 1792	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	81
PID 1792 wrote to memory of 4184	1792	kiovtiu.exe	84
PID 1792 wrote to memory of 4184	1792	kiovtiu.exe	84
PID 1792 wrote to memory of 4184	1792	kiovtiu.exe	84
PID 4176 wrote to memory of 2124	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	85
PID 4176 wrote to memory of 2124	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	85
PID 4176 wrote to memory of 2124	4176	6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe	85
PID 4184 wrote to memory of 788	4184	~DFA240.tmp	93
PID 4184 wrote to memory of 788	4184	~DFA240.tmp	93
PID 4184 wrote to memory of 788	4184	~DFA240.tmp	93

C:\Users\Admin\AppData\Local\Temp\6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe
"C:\Users\Admin\AppData\Local\Temp\6b79c2267761b398913f0dfc570077c3d0aa7c2677cf1b2b3e7f1fb06f194622.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\kiovtiu.exe
  C:\Users\Admin\AppData\Local\Temp\kiovtiu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\qibyam.exe
      "C:\Users\Admin\AppData\Local\Temp\qibyam.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
121b0bb7c6829c19b8eefe545b4e7ba9

SHA1
484740245d6969f20d6c1b679c4e0e5e600bd516

SHA256
c04bf631a230ea67ba937582e755e8f37d0bf9a6e27c868ad6918834f2a2fd68

SHA512
2488482cc1fa7f549b70e06bbd8fee332d933ef2f661a4ba6e26cc0c825d0764c66b5da0d9632c1dda0139822a013d5657df1a1b745eb145402129bcc15325f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1664be3e53a1552dbd590b3600271326

SHA1
a6c7d60d2509841c52be6fc8a60ace3f45d4880a

SHA256
7caff81765963dbd75350774abe8448bb0c967794cbbc65b1f2c9e4da0864785

SHA512
6230d5cbd1c88e3240a6ea89e7f30d15759d5940cce0372fd63b44eeae7fb1f4c1f8904bfb1973b299a468f3025cf61f90892aa2fcd16496a8c0c5e243c69ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiovtiu.exe

Filesize
687KB

MD5
b8d09047da0bce71bb463a689e2c143b

SHA1
9617857fbb6729160bbdcf25665674f063708230

SHA256
f3b6694345c90b0ce74fdbaa84635aeb21e4442cb1486f0e5da7dc8be2596721

SHA512
3edf20be18ad422876563d0b2abedd866967ec60ae5fe3e528f84d2f8ac65a579f42bb4d89c4c7c8d33d3399ae1abd4be1428ea77bb20c9103b644c8f1ddbec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiovtiu.exe

Filesize
687KB

MD5
b8d09047da0bce71bb463a689e2c143b

SHA1
9617857fbb6729160bbdcf25665674f063708230

SHA256
f3b6694345c90b0ce74fdbaa84635aeb21e4442cb1486f0e5da7dc8be2596721

SHA512
3edf20be18ad422876563d0b2abedd866967ec60ae5fe3e528f84d2f8ac65a579f42bb4d89c4c7c8d33d3399ae1abd4be1428ea77bb20c9103b644c8f1ddbec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qibyam.exe

Filesize
385KB

MD5
749cfc8b62841d932c929a278cb19d50

SHA1
ae9924af2863459de9b16ce184ac905e459e81d6

SHA256
14e9a1000e18b7695b771ad25b86ed8400862fef7b6161a2cdcfbb0c68e20682

SHA512
bb6454d3e41b38d47801249ba271a33c218eef326b0925e80be4466cc70dc51fd750ee5392427fd87bfd0a5d727a6bba7a46467feefb95e97bf8d6adfbcff514

Download Submit
C:\Users\Admin\AppData\Local\Temp\qibyam.exe

Filesize
385KB

MD5
749cfc8b62841d932c929a278cb19d50

SHA1
ae9924af2863459de9b16ce184ac905e459e81d6

SHA256
14e9a1000e18b7695b771ad25b86ed8400862fef7b6161a2cdcfbb0c68e20682

SHA512
bb6454d3e41b38d47801249ba271a33c218eef326b0925e80be4466cc70dc51fd750ee5392427fd87bfd0a5d727a6bba7a46467feefb95e97bf8d6adfbcff514

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp

Filesize
693KB

MD5
3cfdb9fcbefeb7cd2e8491761272e16d

SHA1
a5c6398ac787a25109f49c6650493bedb0f697bf

SHA256
ce72171a70b50cb6967178969e76846b5506b5eb3ec747a2c72f59a38a8c303e

SHA512
394d120240edaf274a4547285361ffe6b20ee8f12235c60e3c75c77de77d81ceeea3e6c957dbc3aa60fea1bfe81ec95c3b0363bfa2adbc50154fa89cc041fc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp

Filesize
693KB

MD5
3cfdb9fcbefeb7cd2e8491761272e16d

SHA1
a5c6398ac787a25109f49c6650493bedb0f697bf

SHA256
ce72171a70b50cb6967178969e76846b5506b5eb3ec747a2c72f59a38a8c303e

SHA512
394d120240edaf274a4547285361ffe6b20ee8f12235c60e3c75c77de77d81ceeea3e6c957dbc3aa60fea1bfe81ec95c3b0363bfa2adbc50154fa89cc041fc70

Download Submit
memory/788-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1792-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1792-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4176-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4176-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4176-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4184-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4184-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download