e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
Size

620KB
MD5

448948245976e63b7b21994ed26fb170
SHA1

f220add2d29c1ebd25a31afb5f45cd8b232591e9
SHA256

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248
SHA512

9ab347f7b336b06d3bc5807291e292c89a28adf389eea3577a502445bd1e0fa4cface2921aba39bd414673ab8ed046c11058085931c0840c2d82171253523c5e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

byzeygg.exe~DFA231.tmphikeigg.exe

pid process

3940 byzeygg.exe
4708 ~DFA231.tmp
4312 hikeigg.exe

pid	process
3940	byzeygg.exe
4708	~DFA231.tmp
4312	hikeigg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~DFA231.tmpe22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA231.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

hikeigg.exe

pid	process
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe
4312	hikeigg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA231.tmp

description pid process

Token: SeDebugPrivilege 4708 ~DFA231.tmp

description	pid	process
Token: SeDebugPrivilege	4708	~DFA231.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exebyzeygg.exe~DFA231.tmp

description	pid	process	target process
PID 3528 wrote to memory of 3940	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	byzeygg.exe
PID 3528 wrote to memory of 3940	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	byzeygg.exe
PID 3528 wrote to memory of 3940	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	byzeygg.exe
PID 3940 wrote to memory of 4708	3940	byzeygg.exe	~DFA231.tmp
PID 3940 wrote to memory of 4708	3940	byzeygg.exe	~DFA231.tmp
PID 3940 wrote to memory of 4708	3940	byzeygg.exe	~DFA231.tmp
PID 3528 wrote to memory of 1048	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 3528 wrote to memory of 1048	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 3528 wrote to memory of 1048	3528	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 4708 wrote to memory of 4312	4708	~DFA231.tmp	hikeigg.exe
PID 4708 wrote to memory of 4312	4708	~DFA231.tmp	hikeigg.exe
PID 4708 wrote to memory of 4312	4708	~DFA231.tmp	hikeigg.exe

C:\Users\Admin\AppData\Local\Temp\e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
"C:\Users\Admin\AppData\Local\Temp\e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\byzeygg.exe
C:\Users\Admin\AppData\Local\Temp\byzeygg.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\hikeigg.exe
"C:\Users\Admin\AppData\Local\Temp\hikeigg.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c94c53f663bf6f18201916e1575c4bba

SHA1
18d56e52989c27893661cc3490d68dd0f64a256f

SHA256
3de27610130650cde28e0dc9dcdb06b9076a829630a7e1916765073d0d0339cb

SHA512
a363e31b9d421d696d70bf31000da98de05aaf1e641ac95f7cd2ea5bcbcaa1e61c80503e55ecce788b577c61de550b70e14a68c675d09f2c55c79ce56f1b4d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\byzeygg.exe

Filesize
620KB

MD5
aa8f834ef9f9ca3b46569b6694ede725

SHA1
d6323fbe09d2f2792310faab66800349a0adf4dc

SHA256
a7d0ffd35e3faafd7df8d4fa2df36f8851d21247f4eba6dbe5f492fdb0445a63

SHA512
077e8cce601c5041d5516655a4c114f264f42e5d3e17f0767e100d88bba91cb5b4d14bddc7e9c0dfe6808de5e41ee89cbc1c955057b330ffd1b8cf42bd8ab5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\byzeygg.exe

Filesize
620KB

MD5
aa8f834ef9f9ca3b46569b6694ede725

SHA1
d6323fbe09d2f2792310faab66800349a0adf4dc

SHA256
a7d0ffd35e3faafd7df8d4fa2df36f8851d21247f4eba6dbe5f492fdb0445a63

SHA512
077e8cce601c5041d5516655a4c114f264f42e5d3e17f0767e100d88bba91cb5b4d14bddc7e9c0dfe6808de5e41ee89cbc1c955057b330ffd1b8cf42bd8ab5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
09bc0abfb18a9f019c2347d9c8729f6a

SHA1
dacd3e40648363767a6ac91807e7b44d8e6b8ffc

SHA256
ffc883ac9526007b001c7a1c3ddbce8e0a61717701b646373b35ab4c11c73ec9

SHA512
fb4863bb068f5c717cb94e49816e958f4f5c65f96a32c8ef61bdfc3f4c2209cf0a27fb81a4f555969a21d1c688a811547dbe1c8444b623f3fb17e8d981e87754

Download Submit
C:\Users\Admin\AppData\Local\Temp\hikeigg.exe

Filesize
401KB

MD5
55564cbf4e9d63f9648b06eef7035143

SHA1
7e042cb6ff94f371e8c8ed5578a43e3ea2a87a18

SHA256
dcce1d7cafa75b4d855b570d559777213ec4937a15950fa5dfe41f40b8db002a

SHA512
198ab95328fcb74e9748c7ca7fd77d082358048afea0c7c5a6c7208aba59072967461ceacaf448f6099bf6b6ebdd32d95d73746766b87a794646d0bcd82aeb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hikeigg.exe

Filesize
401KB

MD5
55564cbf4e9d63f9648b06eef7035143

SHA1
7e042cb6ff94f371e8c8ed5578a43e3ea2a87a18

SHA256
dcce1d7cafa75b4d855b570d559777213ec4937a15950fa5dfe41f40b8db002a

SHA512
198ab95328fcb74e9748c7ca7fd77d082358048afea0c7c5a6c7208aba59072967461ceacaf448f6099bf6b6ebdd32d95d73746766b87a794646d0bcd82aeb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp

Filesize
622KB

MD5
6101e9af347e7bed66278611cba2e70c

SHA1
bfc788becd025bf9aa42315f88c1eb80c57b3fa4

SHA256
7bbf37b19ab7657e3fdf4c8783c4cbecaf9c68d44f7ccc43e7724e26c2290a64

SHA512
8398790c676b1d12a531c1db3e4c28bc74014b557a57715e9ed9a1b77056d4833b3c2062916be675da531ee9e88715d9fef66b370f118885563e6c073474c0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp

Filesize
622KB

MD5
6101e9af347e7bed66278611cba2e70c

SHA1
bfc788becd025bf9aa42315f88c1eb80c57b3fa4

SHA256
7bbf37b19ab7657e3fdf4c8783c4cbecaf9c68d44f7ccc43e7724e26c2290a64

SHA512
8398790c676b1d12a531c1db3e4c28bc74014b557a57715e9ed9a1b77056d4833b3c2062916be675da531ee9e88715d9fef66b370f118885563e6c073474c0f2

Download Submit
memory/1048-142-0x0000000000000000-mapping.dmp

Download
memory/3528-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3528-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3940-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3940-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3940-133-0x0000000000000000-mapping.dmp

Download
memory/4312-146-0x0000000000000000-mapping.dmp

Download
memory/4312-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4708-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4708-138-0x0000000000000000-mapping.dmp

Download