96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
Size

665KB
MD5

43ca547f881150b8e18d1676a16c1100
SHA1

09314465965e9c5af1722939f8d9dab4a13dae08
SHA256

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556
SHA512

aff07796ce504f5c1f403016088350b66db8a9c69a76dee74da7b141b25cfb35cb6194e208cc3a5bcb8b4243714ad2984c08f8f36856ed5c9766a52adc399f91
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ibijfof.exe~DFA240.tmpiccowof.exe

pid process

1712 ibijfof.exe
3684 ~DFA240.tmp
2176 iccowof.exe

pid	process
1712	ibijfof.exe
3684	~DFA240.tmp
2176	iccowof.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe~DFA240.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA240.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

iccowof.exe

pid	process
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe
2176	iccowof.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA240.tmp

description pid process

Token: SeDebugPrivilege 3684 ~DFA240.tmp

description	pid	process
Token: SeDebugPrivilege	3684	~DFA240.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exeibijfof.exe~DFA240.tmp

description	pid	process	target process
PID 2552 wrote to memory of 1712	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	ibijfof.exe
PID 2552 wrote to memory of 1712	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	ibijfof.exe
PID 2552 wrote to memory of 1712	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	ibijfof.exe
PID 1712 wrote to memory of 3684	1712	ibijfof.exe	~DFA240.tmp
PID 1712 wrote to memory of 3684	1712	ibijfof.exe	~DFA240.tmp
PID 1712 wrote to memory of 3684	1712	ibijfof.exe	~DFA240.tmp
PID 2552 wrote to memory of 792	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 2552 wrote to memory of 792	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 2552 wrote to memory of 792	2552	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 3684 wrote to memory of 2176	3684	~DFA240.tmp	iccowof.exe
PID 3684 wrote to memory of 2176	3684	~DFA240.tmp	iccowof.exe
PID 3684 wrote to memory of 2176	3684	~DFA240.tmp	iccowof.exe

C:\Users\Admin\AppData\Local\Temp\96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
"C:\Users\Admin\AppData\Local\Temp\96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\ibijfof.exe
C:\Users\Admin\AppData\Local\Temp\ibijfof.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\iccowof.exe
"C:\Users\Admin\AppData\Local\Temp\iccowof.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
495d08835a4143b554073d082520e9e6

SHA1
3c32edc94fb1e54c4a3c1f4a5ea9e8b42a4f7937

SHA256
57f55c757c9dfb109b4c53471f00c968ba6cf5871c80ca3321f47de908bbe75c

SHA512
f20a5816595f2e42afe8dca319ef9a6b6ab32b625ebbdb79caf1d38674982560a1d602223434aec097dadd12deaafbe02c6a338676047bbcd8638505124895d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
66bc7b0bdb966a2c1a621abb19ccc02b

SHA1
f101a42a632083b2ea998548460853bacc82ac16

SHA256
91e43ec242a6fc698602e0f2ce2f14349f7c202e38536a69c47bb535f119f4ed

SHA512
413c0cbda3d119e0a1da14261857d51c8e9f01d9b807a6c61435e4a6887917dde3fdf6b3a41b77d7ea0660597c0b51f073de4940f71d39308a8bcc6c736b0972

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibijfof.exe
Filesize
669KB

MD5
155ab33421d639aa9ccdf2d7ba737597

SHA1
79832dfd4d164dcfcd9355a6655baacbc93b8de7

SHA256
a1a2194e2cdd188ea4a375f7cdc3c7849b4bee36a059b72ad8c923c4e3516c1b

SHA512
6642d621ad518ce208b4005bed67c7551d45bb6d63ffe5a6b22e82ec9be02244494f619fb5ec7c375e55ecd7433d9ce0ce3b10dc94932e84ac810146ebb59512

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibijfof.exe
Filesize
669KB

MD5
155ab33421d639aa9ccdf2d7ba737597

SHA1
79832dfd4d164dcfcd9355a6655baacbc93b8de7

SHA256
a1a2194e2cdd188ea4a375f7cdc3c7849b4bee36a059b72ad8c923c4e3516c1b

SHA512
6642d621ad518ce208b4005bed67c7551d45bb6d63ffe5a6b22e82ec9be02244494f619fb5ec7c375e55ecd7433d9ce0ce3b10dc94932e84ac810146ebb59512

Download Submit
C:\Users\Admin\AppData\Local\Temp\iccowof.exe
Filesize
411KB

MD5
4ad1da41e24763bf66ff2e3387889d81

SHA1
3b5036f8c2b870c4a6762a9ede7b29c402de5c11

SHA256
8b89abdd2b36b90ffb9e170ccd9a1b3b98473102d4440960ce6f293b15fc5f2d

SHA512
969c06fcb94db0f157b73e27c7a3e4c1b9be56aac021a079f08391c921d160b691fe46ad44baaab85819f0a3baa3b8f008c5043787dc5c0754f24447fda3257f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iccowof.exe
Filesize
411KB

MD5
4ad1da41e24763bf66ff2e3387889d81

SHA1
3b5036f8c2b870c4a6762a9ede7b29c402de5c11

SHA256
8b89abdd2b36b90ffb9e170ccd9a1b3b98473102d4440960ce6f293b15fc5f2d

SHA512
969c06fcb94db0f157b73e27c7a3e4c1b9be56aac021a079f08391c921d160b691fe46ad44baaab85819f0a3baa3b8f008c5043787dc5c0754f24447fda3257f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp
Filesize
676KB

MD5
a1fa60cf8828808bab5a753407e04178

SHA1
4b5256f3ee9af09c737d108c0cf073e348af673f

SHA256
fc20d8d26a2a51b3845b9af041692eb75101103c897e455b49676ec7189a70bd

SHA512
2846b34a340fe241f9681b1212dc63b96326bd96c6f9e50812c1cdae2f0ec50729269d2dc5546be2f386632184cb42abb78ae9c2cc86815b114b213a80d672df

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA240.tmp
Filesize
676KB

MD5
a1fa60cf8828808bab5a753407e04178

SHA1
4b5256f3ee9af09c737d108c0cf073e348af673f

SHA256
fc20d8d26a2a51b3845b9af041692eb75101103c897e455b49676ec7189a70bd

SHA512
2846b34a340fe241f9681b1212dc63b96326bd96c6f9e50812c1cdae2f0ec50729269d2dc5546be2f386632184cb42abb78ae9c2cc86815b114b213a80d672df

Download Submit
memory/792-143-0x0000000000000000-mapping.dmp

Download
memory/1712-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1712-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1712-133-0x0000000000000000-mapping.dmp

Download
memory/2176-146-0x0000000000000000-mapping.dmp

Download
memory/2176-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2176-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2552-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2552-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3684-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3684-138-0x0000000000000000-mapping.dmp

Download