e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5

Analysis

max time kernel
180s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
Size

639KB
MD5

45cd3172c82ced49112cd853152b4ae0
SHA1

51cb0b265807a344ef501595f2c62cc1629a1636
SHA256

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5
SHA512

bc836ad281bce8be1f552bdefe9ad43e6d8705ea5b334b562480298cdbf09dba1fc19e3b6043e79151576b3e44bbc40fd908b9142f0f8ae8ca62ae7e693b8618
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

goholo.exe~DFA251.tmpowbeiu.exe

pid process

2568 goholo.exe
5088 ~DFA251.tmp
3064 owbeiu.exe

pid	process
2568	goholo.exe
5088	~DFA251.tmp
3064	owbeiu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe~DFA251.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	~DFA251.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

owbeiu.exe

pid	process
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe
3064	owbeiu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA251.tmp

description pid process

Token: SeDebugPrivilege 5088 ~DFA251.tmp

description	pid	process
Token: SeDebugPrivilege	5088	~DFA251.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exegoholo.exe~DFA251.tmp

description	pid	process	target process
PID 1304 wrote to memory of 2568	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	goholo.exe
PID 1304 wrote to memory of 2568	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	goholo.exe
PID 1304 wrote to memory of 2568	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	goholo.exe
PID 2568 wrote to memory of 5088	2568	goholo.exe	~DFA251.tmp
PID 2568 wrote to memory of 5088	2568	goholo.exe	~DFA251.tmp
PID 2568 wrote to memory of 5088	2568	goholo.exe	~DFA251.tmp
PID 1304 wrote to memory of 1552	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1304 wrote to memory of 1552	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1304 wrote to memory of 1552	1304	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 5088 wrote to memory of 3064	5088	~DFA251.tmp	owbeiu.exe
PID 5088 wrote to memory of 3064	5088	~DFA251.tmp	owbeiu.exe
PID 5088 wrote to memory of 3064	5088	~DFA251.tmp	owbeiu.exe

C:\Users\Admin\AppData\Local\Temp\e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
"C:\Users\Admin\AppData\Local\Temp\e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\goholo.exe
C:\Users\Admin\AppData\Local\Temp\goholo.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\owbeiu.exe
"C:\Users\Admin\AppData\Local\Temp\owbeiu.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
cb37a9d114c4c4c3cdf8c4c6d11a2ab6

SHA1
45f15034714988265276fd121c0c8c79af328815

SHA256
c2e6c8584eff688333839436c637118b91e54f098f6c30c95082e41dcdeb260f

SHA512
b9fa29b955afa8d95854bb526fbe3c5decccd3420461dfeb3931adc0a888e50a3331647e35818e10bc60e3eff37ae11b642174c4b1892b11d02e36e4e2f939cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\goholo.exe
Filesize
639KB

MD5
ea778455057620f4f7796744602bd2ed

SHA1
d3519e35e1703cbf61a5ed063b574be10358a103

SHA256
4b8efceeffb0678ece178b5da607584358a2c2feaffc02c8b8a95192486acf5a

SHA512
db4a40a4483b6aeae10dab675025a6ef33923c921ce843ec1140f8836ff69bd34da89a71c2ac67d2c47548480ff59a63ba2e897c89973a54d3f94a1841091c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\goholo.exe
Filesize
639KB

MD5
ea778455057620f4f7796744602bd2ed

SHA1
d3519e35e1703cbf61a5ed063b574be10358a103

SHA256
4b8efceeffb0678ece178b5da607584358a2c2feaffc02c8b8a95192486acf5a

SHA512
db4a40a4483b6aeae10dab675025a6ef33923c921ce843ec1140f8836ff69bd34da89a71c2ac67d2c47548480ff59a63ba2e897c89973a54d3f94a1841091c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
22e431e299c47dcb4d748633debc11db

SHA1
363fe7de92525400b59e155b4bc6fc72887eeb7b

SHA256
d5845aad968082350b3e72579b2960b010f4df7a9f81c4450e008d9de2f9b400

SHA512
e27efc9a9ae36ac16add6038d8ce0e30af18b90eafe831378f1a2a36bc49b9b35461aacc0d3d428d5cd3a0c2f2f422cea290b20d9079b8e126b707e8573cd7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbeiu.exe
Filesize
409KB

MD5
528d4e8159717457cf1b40354cb41bbc

SHA1
4f0d2be91cc2f24a1b2fca3cefc0b0ccde26e12c

SHA256
22b9fce9b764e179886cbd9730b049881e7134ee11a96324ad80db04834be714

SHA512
e855a3e402efb00c539a930c81c05ba67a67857de6d9ca6240f987900463aa4f6b4cc640301686b18625fc285c0bb19e0fbb57d30c50061315cb0fba93742ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbeiu.exe
Filesize
409KB

MD5
528d4e8159717457cf1b40354cb41bbc

SHA1
4f0d2be91cc2f24a1b2fca3cefc0b0ccde26e12c

SHA256
22b9fce9b764e179886cbd9730b049881e7134ee11a96324ad80db04834be714

SHA512
e855a3e402efb00c539a930c81c05ba67a67857de6d9ca6240f987900463aa4f6b4cc640301686b18625fc285c0bb19e0fbb57d30c50061315cb0fba93742ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp
Filesize
642KB

MD5
e5b4122b4b7c89e7487c63e430e206eb

SHA1
5c9e257b7c6574d3f7cfccd56ef12a91212ca587

SHA256
8db95e06001472a02563d00db60964acf8bf28653c537fbef647da1fda3f8e90

SHA512
4fab06e1f5980e94084c0cbb101577bbf99ea44b157bc14f3dcaf821a01416d5279eda3f49be153487df25c1da6136a63d2e3cefa82574c3c8208141687735f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp
Filesize
642KB

MD5
e5b4122b4b7c89e7487c63e430e206eb

SHA1
5c9e257b7c6574d3f7cfccd56ef12a91212ca587

SHA256
8db95e06001472a02563d00db60964acf8bf28653c537fbef647da1fda3f8e90

SHA512
4fab06e1f5980e94084c0cbb101577bbf99ea44b157bc14f3dcaf821a01416d5279eda3f49be153487df25c1da6136a63d2e3cefa82574c3c8208141687735f6

Download Submit
memory/1304-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1304-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1552-143-0x0000000000000000-mapping.dmp

Download
memory/2568-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2568-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2568-133-0x0000000000000000-mapping.dmp

Download
memory/3064-146-0x0000000000000000-mapping.dmp

Download
memory/3064-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3064-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5088-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5088-138-0x0000000000000000-mapping.dmp

Download