293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Size

629KB
MD5

5a30808ccc39d0b175aa926a68aa5150
SHA1

7ea82e73a32bbb478c235fe3a637daf941883a6c
SHA256

293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35
SHA512

0d51c2cadbf386a49f1cc6d66d49cd7056b51b741fcd553589119b7c75629323123d389ab7e2f469185fd1a3700119d8d94fe526eafaaad0ac60c670944a255c
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4936	qyrewyy.exe
4192	~DFA236.tmp
3460	ceibdey.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA236.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe
3460	ceibdey.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	~DFA236.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4936	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	82
PID 4152 wrote to memory of 4936	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	82
PID 4152 wrote to memory of 4936	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	82
PID 4936 wrote to memory of 4192	4936	qyrewyy.exe	83
PID 4936 wrote to memory of 4192	4936	qyrewyy.exe	83
PID 4936 wrote to memory of 4192	4936	qyrewyy.exe	83
PID 4152 wrote to memory of 4800	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	84
PID 4152 wrote to memory of 4800	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	84
PID 4152 wrote to memory of 4800	4152	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	84
PID 4192 wrote to memory of 3460	4192	~DFA236.tmp	93
PID 4192 wrote to memory of 3460	4192	~DFA236.tmp	93
PID 4192 wrote to memory of 3460	4192	~DFA236.tmp	93

C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
"C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\qyrewyy.exe
  C:\Users\Admin\AppData\Local\Temp\qyrewyy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\ceibdey.exe
      "C:\Users\Admin\AppData\Local\Temp\ceibdey.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
cb0415465b0696c0ea73c957e6388001

SHA1
50e15d3a56d1ed904c4cc003395ebf2b038b639f

SHA256
c0f5535107b1519a52e18ded33678c7fffa16e421c34385c794cb437afd3b530

SHA512
8b9db40d8eaaffbb90f1ca2e02e275041c43267268f095b30d0f9d0f5233ecf83a85a96ad4246dfcc68514f35e682e4810e3e80d0aa5e48e8d7e16a12e175582

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceibdey.exe

Filesize
394KB

MD5
241dcbd5eb7023e67d405dda78602bb0

SHA1
d43eb05b0293e63b5ac0a2f8789d5d522a0536ba

SHA256
3850dcd371fd38af360bb1b4f468a34cb97f661613672ad91b035a74d75381fc

SHA512
c487ac2c40b9bd3c6e282ecc62fc8a1565361f141663d571851482c248afb9e7be63dda8f6230b2e3d098cd2c04aba4b303a0bef8cfa9fe129ac504db15e2fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceibdey.exe

Filesize
394KB

MD5
241dcbd5eb7023e67d405dda78602bb0

SHA1
d43eb05b0293e63b5ac0a2f8789d5d522a0536ba

SHA256
3850dcd371fd38af360bb1b4f468a34cb97f661613672ad91b035a74d75381fc

SHA512
c487ac2c40b9bd3c6e282ecc62fc8a1565361f141663d571851482c248afb9e7be63dda8f6230b2e3d098cd2c04aba4b303a0bef8cfa9fe129ac504db15e2fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
4cff526c2d9491dda6a847ae77610294

SHA1
81bc49c0dca8f2aa74ed94cc4fb91bda6eb8a50d

SHA256
ff2c4f3d927da535358f59dfd3bf18e0c0f3253c2cdbaf238570732b43cd00cf

SHA512
a04a134fa17f8dd579795139a83ae8babf534066236ae95512f31017fcdf3736300f1272add40067cbe8545ee75e1a68cef1111c60ffa9877018420321b05c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyrewyy.exe

Filesize
634KB

MD5
5cfc0864a372caf7faf2b992620e5e38

SHA1
84c944a28767f2f5d65897c03b24096a31d0ffaf

SHA256
1d05e0c262aea10b127cae146f0f975ec70030bd8eb6352d286757fab72a39dd

SHA512
509a9486d59fae623b70feb6e1a04993489be4ea80f53aea5494bb4cbc6127dfc6823c4af0ddef0faedc375759c2ec763a25646883a79f4fcb3b1158e120f771

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyrewyy.exe

Filesize
634KB

MD5
5cfc0864a372caf7faf2b992620e5e38

SHA1
84c944a28767f2f5d65897c03b24096a31d0ffaf

SHA256
1d05e0c262aea10b127cae146f0f975ec70030bd8eb6352d286757fab72a39dd

SHA512
509a9486d59fae623b70feb6e1a04993489be4ea80f53aea5494bb4cbc6127dfc6823c4af0ddef0faedc375759c2ec763a25646883a79f4fcb3b1158e120f771

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
641KB

MD5
dd4f6df4fc32f95cb939a39357e69505

SHA1
20a8329992e4f8b661350603226662c90bc8eaed

SHA256
00f938cb462460ded6c01363a484be6d279c305b74e58530007de53e845d052c

SHA512
bd13b06895ba4deb0ed980460bf5c92865aa104db8ae7214931c32fdb6196d8b59ebec32864fe9c0f43dc9d6733575031bc02875edc2a746ce53489b089b5eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
641KB

MD5
dd4f6df4fc32f95cb939a39357e69505

SHA1
20a8329992e4f8b661350603226662c90bc8eaed

SHA256
00f938cb462460ded6c01363a484be6d279c305b74e58530007de53e845d052c

SHA512
bd13b06895ba4deb0ed980460bf5c92865aa104db8ae7214931c32fdb6196d8b59ebec32864fe9c0f43dc9d6733575031bc02875edc2a746ce53489b089b5eec

Download Submit
memory/3460-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4152-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4152-134-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4192-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4936-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download