27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7

General

Target

27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe
Size

2.6MB
MD5

4a832ed1585ffeb8508f1d8844a6b461
SHA1

3b74d193e25826495b9916ed426964ebd634d18c
SHA256

27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7
SHA512

28e0a908cd43719c1d288dcc8306c171f53b9cb98dbb178b94e8a59db9318524e49cf8f166fd8ac6614a55e0cf195717a9b4727a96c1f2f1378771f677c7a98b
SSDEEP

49152:whN+Q6dtmoxrrat4vq3zvpZ3RN0Yc6XCZ6NmFIZeCgSrmaSBnC9CtZY2sOmO2XgK:INoXmw6Kszvz3gWRNFg0KxC9GZDmVXsw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

downloadsupdated-now-1-3_2022-11-23_17-36.exeGolana_2022-11-23_18-17.exe

pid process

3340 downloadsupdated-now-1-3_2022-11-23_17-36.exe
2868 Golana_2022-11-23_18-17.exe

pid	process
3340	downloadsupdated-now-1-3_2022-11-23_17-36.exe
2868	Golana_2022-11-23_18-17.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

downloadsupdated-now-1-3_2022-11-23_17-36.exe

description pid process

Token: SeDebugPrivilege 3340 downloadsupdated-now-1-3_2022-11-23_17-36.exe

description	pid	process
Token: SeDebugPrivilege	3340	downloadsupdated-now-1-3_2022-11-23_17-36.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe

description	pid	process	target process
PID 2196 wrote to memory of 3340	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 2196 wrote to memory of 3340	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 2196 wrote to memory of 3340	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 2196 wrote to memory of 2868	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	Golana_2022-11-23_18-17.exe
PID 2196 wrote to memory of 2868	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	Golana_2022-11-23_18-17.exe
PID 2196 wrote to memory of 2868	2196	27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe	Golana_2022-11-23_18-17.exe

C:\Users\Admin\AppData\Local\Temp\27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe
"C:\Users\Admin\AppData\Local\Temp\27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe
  "C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe
  "C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe"
  2⤵
  - Executes dropped EXE
  PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe

Filesize
2.2MB

MD5
1c16ea996a2f54947883b5835e826a83

SHA1
a6aa88825ca5ce1635ab1284219a80966cbef7d2

SHA256
b8bbe249d88365c88ac3c72cfb55a625ca27171aeee71f915d2564592afc873d

SHA512
1507ef941553bccc41ec2db5fbe01a21b9367d90429751756657ddd0df2552ff3ba40f4cc7e5f3c6b4d97679ac01fb9d1ec91fd4296c93bb20582513a9748858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe

Filesize
2.2MB

MD5
1c16ea996a2f54947883b5835e826a83

SHA1
a6aa88825ca5ce1635ab1284219a80966cbef7d2

SHA256
b8bbe249d88365c88ac3c72cfb55a625ca27171aeee71f915d2564592afc873d

SHA512
1507ef941553bccc41ec2db5fbe01a21b9367d90429751756657ddd0df2552ff3ba40f4cc7e5f3c6b4d97679ac01fb9d1ec91fd4296c93bb20582513a9748858

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe

Filesize
316KB

MD5
33cd3263865106e58dc0bde2743e61be

SHA1
eef698be023823262eaa3528e866f2c00a702500

SHA256
a9959ac2c46261b6d061e0d4d73d5d379d3f3470c9be7bb5d951efc45342bb97

SHA512
60be0db9848a9d3b2a95bf0c5b91b306a4e6b6ecc8c784cf400601914c5b1b0fee20f8a03c84c16f055cd63167243e65a01870166f7322a146e9139f90f9e241

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe

Filesize
316KB

MD5
33cd3263865106e58dc0bde2743e61be

SHA1
eef698be023823262eaa3528e866f2c00a702500

SHA256
a9959ac2c46261b6d061e0d4d73d5d379d3f3470c9be7bb5d951efc45342bb97

SHA512
60be0db9848a9d3b2a95bf0c5b91b306a4e6b6ecc8c784cf400601914c5b1b0fee20f8a03c84c16f055cd63167243e65a01870166f7322a146e9139f90f9e241

Download Submit
memory/2868-143-0x00000000026F6000-0x0000000002915000-memory.dmp

Filesize
2.1MB

Download
memory/2868-135-0x0000000000000000-mapping.dmp

Download
memory/2868-151-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2868-144-0x0000000002920000-0x0000000002DB9000-memory.dmp

Filesize
4.6MB

Download
memory/2868-145-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/3340-142-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/3340-132-0x0000000000000000-mapping.dmp

Download
memory/3340-141-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/3340-140-0x000000000087D000-0x00000000008AE000-memory.dmp

Filesize
196KB

Download
memory/3340-139-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3340-146-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/3340-147-0x00000000054C0000-0x00000000055CA000-memory.dmp

Filesize
1.0MB

Download
memory/3340-148-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/3340-149-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/3340-150-0x000000000087D000-0x00000000008AE000-memory.dmp

Filesize
196KB

Download
memory/3340-138-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing