96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4

Analysis

max time kernel
191s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
Size

669KB
MD5

529afe0f51eff7bcf18d7d7f890aa530
SHA1

05d4c07e5bbf4a789fe2458b8a3326b3c2c46674
SHA256

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4
SHA512

e8e49584d91a465612620f6b199ebd328c89fac6dae4c58fd0015b9200c5f2a0b0ed8d042bd55c22278db0289a6032d468b91fd2760ec964d7911c6f4e84f9a4
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

rikyiec.exe~DFA269.tmpqavukec.exe

pid process

3548 rikyiec.exe
4004 ~DFA269.tmp
4076 qavukec.exe

pid	process
3548	rikyiec.exe
4004	~DFA269.tmp
4076	qavukec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe~DFA269.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	~DFA269.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

qavukec.exe

pid	process
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe
4076	qavukec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA269.tmp

description pid process

Token: SeDebugPrivilege 4004 ~DFA269.tmp

description	pid	process
Token: SeDebugPrivilege	4004	~DFA269.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exerikyiec.exe~DFA269.tmp

description	pid	process	target process
PID 2056 wrote to memory of 3548	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	rikyiec.exe
PID 2056 wrote to memory of 3548	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	rikyiec.exe
PID 2056 wrote to memory of 3548	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	rikyiec.exe
PID 3548 wrote to memory of 4004	3548	rikyiec.exe	~DFA269.tmp
PID 3548 wrote to memory of 4004	3548	rikyiec.exe	~DFA269.tmp
PID 3548 wrote to memory of 4004	3548	rikyiec.exe	~DFA269.tmp
PID 2056 wrote to memory of 3632	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 2056 wrote to memory of 3632	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 2056 wrote to memory of 3632	2056	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 4004 wrote to memory of 4076	4004	~DFA269.tmp	qavukec.exe
PID 4004 wrote to memory of 4076	4004	~DFA269.tmp	qavukec.exe
PID 4004 wrote to memory of 4076	4004	~DFA269.tmp	qavukec.exe

C:\Users\Admin\AppData\Local\Temp\96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
"C:\Users\Admin\AppData\Local\Temp\96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\rikyiec.exe
C:\Users\Admin\AppData\Local\Temp\rikyiec.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\~DFA269.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA269.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\qavukec.exe
"C:\Users\Admin\AppData\Local\Temp\qavukec.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
f90647b585a14bc8e53385e97a57256d

SHA1
4ccf8491dfc83b505b2dbf919a381e5137ee9adb

SHA256
600e5c4928fee287d45c6f2918d4d85edb0353abbb6f65505c2aba74b9f54823

SHA512
7af79912b6047f68bd469885dc39f67422a762080ec0b702a7b21b6b9560e35b8c744d75361eed08233f26ab9cf63a838c4fbe8cbc25567defe9eb4673af77ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
d9434784e356dd104b675c71edc77fd6

SHA1
7ed4e94f93af7d72ed27edc2bae0c191af0013c2

SHA256
74187cc117dfaaf3fdb30e2114d60d54bd6ff4d969c19306ccae9fe0ff6d4f66

SHA512
c739d8aa89b1f3f081246805f757fd417dfbb2e8cf8b9d07dc3516e71594ae3ca9b7fffd006d5b379175df49163c57d9645e43764d1271cf2428afc40af61a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavukec.exe
Filesize
409KB

MD5
a2f5f78bb6a07dffba3c37b905268a5f

SHA1
36d38e0a1e3838d1e9b9966b9290fae56807b0b5

SHA256
56c8df22b70d32c96c6c054658bbdee1d0f4c1d09f574e54f51696a0c07802cb

SHA512
2bad87ac34650bd954949ad5e4a0936b2be5bfc543c6f499be1a96918424d8c9c419f2ff62f82c6e75b1d65ca50b9896bdb9e462141f19b71e494358f60a87c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavukec.exe
Filesize
409KB

MD5
a2f5f78bb6a07dffba3c37b905268a5f

SHA1
36d38e0a1e3838d1e9b9966b9290fae56807b0b5

SHA256
56c8df22b70d32c96c6c054658bbdee1d0f4c1d09f574e54f51696a0c07802cb

SHA512
2bad87ac34650bd954949ad5e4a0936b2be5bfc543c6f499be1a96918424d8c9c419f2ff62f82c6e75b1d65ca50b9896bdb9e462141f19b71e494358f60a87c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rikyiec.exe
Filesize
675KB

MD5
704e1ca6f14b2694597af3b6f965c7a4

SHA1
ad6605280781cd46f2c1c1d19a85e85cd6d630b6

SHA256
b2ebe1b7632507ec601c3a882c63222b4a2fc99ef3d50c7582c1535297f83365

SHA512
b67eb58328e8f37856ded803d66c8fae892122d0b0d806f69227ee70b8265a98bd98621c52848801ab34fcd3310e3d71849a3559d7ff1734ad7eadc0eb508687

Download Submit
C:\Users\Admin\AppData\Local\Temp\rikyiec.exe
Filesize
675KB

MD5
704e1ca6f14b2694597af3b6f965c7a4

SHA1
ad6605280781cd46f2c1c1d19a85e85cd6d630b6

SHA256
b2ebe1b7632507ec601c3a882c63222b4a2fc99ef3d50c7582c1535297f83365

SHA512
b67eb58328e8f37856ded803d66c8fae892122d0b0d806f69227ee70b8265a98bd98621c52848801ab34fcd3310e3d71849a3559d7ff1734ad7eadc0eb508687

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA269.tmp
Filesize
682KB

MD5
050f83ceca43dea7c9b0b58857d6328b

SHA1
8655710f5d624fbe59f9f81997e03e230632e2f3

SHA256
ff8d8923f75fd8ad6bc72590a16dac8b10d267cf2503fd2a10d1a2bc93dbc52d

SHA512
4150bbcb7c7e047ac6eaa28574fadc2b109561b5970fe334d8abd7010f0bd259ba4e3e438dea94650583408ea799446584c4ee15a464ed2753d200cbb701ea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA269.tmp
Filesize
682KB

MD5
050f83ceca43dea7c9b0b58857d6328b

SHA1
8655710f5d624fbe59f9f81997e03e230632e2f3

SHA256
ff8d8923f75fd8ad6bc72590a16dac8b10d267cf2503fd2a10d1a2bc93dbc52d

SHA512
4150bbcb7c7e047ac6eaa28574fadc2b109561b5970fe334d8abd7010f0bd259ba4e3e438dea94650583408ea799446584c4ee15a464ed2753d200cbb701ea4d

Download Submit
memory/2056-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2056-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-133-0x0000000000000000-mapping.dmp

Download
memory/3632-142-0x0000000000000000-mapping.dmp

Download
memory/4004-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download
memory/4076-146-0x0000000000000000-mapping.dmp

Download
memory/4076-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4076-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download