e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
Size

419KB
MD5

073a79104101a2ae4535719f94bc8480
SHA1

51a2fb2180a8e2a50e8f6b39de8602cf117cf857
SHA256

e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173
SHA512

866901ad79d94ac6e1cdd6e415aa2d6286844078f12b23ff37643a67dc6c5fcfbd975831eb58f6e464896a6269ddeec2cbcf3376be7068e94fc14eac23507a7d
SSDEEP

6144:u7PjM1h2DiL6yA8IpdJfLKLzmPPb+WCFOnDK0svS:yMLM2tIpnGzmPSWC64K

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3636	cegoh.exe
1628	hyibn.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000000071f-143.dat	upx
behavioral2/files/0x000300000000071f-144.dat	upx
behavioral2/memory/1628-146-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/1628-147-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cegoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe
1628	hyibn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3636	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	82
PID 644 wrote to memory of 3636	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	82
PID 644 wrote to memory of 3636	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	82
PID 644 wrote to memory of 548	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	83
PID 644 wrote to memory of 548	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	83
PID 644 wrote to memory of 548	644	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	83
PID 3636 wrote to memory of 1628	3636	cegoh.exe	90
PID 3636 wrote to memory of 1628	3636	cegoh.exe	90
PID 3636 wrote to memory of 1628	3636	cegoh.exe	90

C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
"C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\cegoh.exe
  "C:\Users\Admin\AppData\Local\Temp\cegoh.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\hyibn.exe
    "C:\Users\Admin\AppData\Local\Temp\hyibn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c0d4071de770b54e5029ea67ab8202a

SHA1
0fa729ddbedaf4f8d3dc8d70d475a721d5894317

SHA256
81557131f78feef4c027870d164afe28a9a7e39eef90f77a3adb4770d4143289

SHA512
e56a0f0d43d4916cb235d5e507c39757ad6ac76aeba2f674b614092e729d9c2c4bbde3cd151932123818263ca60692bf5a707fd87831496f79cd81b436678fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegoh.exe

Filesize
420KB

MD5
0b1b199d690350dc89cf8d03798e916f

SHA1
154e59702f190c9cb2f6df9a23cbae2a38484e36

SHA256
3c3473dfd4269547cf952b8d81da6f21322f99d5d247a213ade76849a37e1fc9

SHA512
cac2b2da2143b60f085a7045804bd8a4d95992f2a790cb35546002f244be51e5c14712b717f51c288dd4d82b5df609a9657fe6889e5c852b92df7e74d9622381

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegoh.exe

Filesize
420KB

MD5
0b1b199d690350dc89cf8d03798e916f

SHA1
154e59702f190c9cb2f6df9a23cbae2a38484e36

SHA256
3c3473dfd4269547cf952b8d81da6f21322f99d5d247a213ade76849a37e1fc9

SHA512
cac2b2da2143b60f085a7045804bd8a4d95992f2a790cb35546002f244be51e5c14712b717f51c288dd4d82b5df609a9657fe6889e5c852b92df7e74d9622381

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4366c8d09765f8fa2a9542db96b632ab

SHA1
d5d99d5f07dacfe74c4272c8aa01b1344cba324c

SHA256
cb1e0fefde4d5c71de25f51bbf5e331307219e938eef1aeda389e26073f330b3

SHA512
c1bd5361079a1500fe90d63eb51882364698411bff1978ed2ae1124a8181f20732ecad49ef58b3331e67f27afc8d18b8ea6e0c5993626f683718fa774303c44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyibn.exe

Filesize
207KB

MD5
a36574360411c725f67a20fd1327bc10

SHA1
718226072250f9ee1995ce7eeea4ca53b750f878

SHA256
7efbdc94820f182404bb2295cbf1fd36fcfb45bb11f70f24cbdf2139d2f378f1

SHA512
48e875c41ce6867a918c6f41ad3e64e3ee8e0a0e1e8c3b9add40f5bbfd5e82d6197f7c553864e6954bee0fb2200aa7d412ca37ea907c88de85b1dee0802c6c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyibn.exe

Filesize
207KB

MD5
a36574360411c725f67a20fd1327bc10

SHA1
718226072250f9ee1995ce7eeea4ca53b750f878

SHA256
7efbdc94820f182404bb2295cbf1fd36fcfb45bb11f70f24cbdf2139d2f378f1

SHA512
48e875c41ce6867a918c6f41ad3e64e3ee8e0a0e1e8c3b9add40f5bbfd5e82d6197f7c553864e6954bee0fb2200aa7d412ca37ea907c88de85b1dee0802c6c1f

Download Submit
memory/644-137-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/644-132-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1628-146-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1628-147-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3636-139-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3636-141-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3636-145-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download