c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe
Size

634KB
MD5

53779464597721027201b0d4e555e2a0
SHA1

5bc917fc7bffd1bee8c358cc2d0cf5d2f7e84460
SHA256

c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03
SHA512

e12c93027444017dda513cf997e23c27000f1eb47a90e063a246a4bed97b4cf800e025d37c571c233e55a97a01e2e8c9dacb0f68e64db849f0da348e111f7089
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

fomefav.exe~DFA22D.tmpagqekuv.exe

pid process

3548 fomefav.exe
1936 ~DFA22D.tmp
4972 agqekuv.exe

pid	process
3548	fomefav.exe
1936	~DFA22D.tmp
4972	agqekuv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe~DFA22D.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA22D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

agqekuv.exe

pid	process
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe
4972	agqekuv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA22D.tmp

description pid process

Token: SeDebugPrivilege 1936 ~DFA22D.tmp

description	pid	process
Token: SeDebugPrivilege	1936	~DFA22D.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exefomefav.exe~DFA22D.tmp

description	pid	process	target process
PID 2296 wrote to memory of 3548	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	fomefav.exe
PID 2296 wrote to memory of 3548	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	fomefav.exe
PID 2296 wrote to memory of 3548	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	fomefav.exe
PID 3548 wrote to memory of 1936	3548	fomefav.exe	~DFA22D.tmp
PID 3548 wrote to memory of 1936	3548	fomefav.exe	~DFA22D.tmp
PID 3548 wrote to memory of 1936	3548	fomefav.exe	~DFA22D.tmp
PID 2296 wrote to memory of 3244	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	cmd.exe
PID 2296 wrote to memory of 3244	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	cmd.exe
PID 2296 wrote to memory of 3244	2296	c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe	cmd.exe
PID 1936 wrote to memory of 4972	1936	~DFA22D.tmp	agqekuv.exe
PID 1936 wrote to memory of 4972	1936	~DFA22D.tmp	agqekuv.exe
PID 1936 wrote to memory of 4972	1936	~DFA22D.tmp	agqekuv.exe

C:\Users\Admin\AppData\Local\Temp\c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe
"C:\Users\Admin\AppData\Local\Temp\c301436433c7d188fe8a6029be3ab56037681dc2114b4076bc45ccc734597d03.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\fomefav.exe
C:\Users\Admin\AppData\Local\Temp\fomefav.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\agqekuv.exe
"C:\Users\Admin\AppData\Local\Temp\agqekuv.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
50f9eafeb8cf49f507514e3a245270a5

SHA1
c476059a477afe51076d76dcf0fef4eb24257609

SHA256
30bd1d012bae82e4f93849f887b5cec2fbbf263eedda81e31d4832e7220790bf

SHA512
23733df5ecd94c6e62556b8cd7f32506bfaad671b934a674fedb703da79ba9dea53bb71882fa15a240447b4ef43a41d9c6a414264645a5dc3579fc76e3e5d503

Download Submit
C:\Users\Admin\AppData\Local\Temp\agqekuv.exe

Filesize
391KB

MD5
a987f7d056f1271d599370b95c97b125

SHA1
6e3c205bbb2b329ab148aa80800a1256e5a01264

SHA256
82544db74701fd7b40d77abdbd4232d702840f701ed8a009077049d64a5af4ca

SHA512
ead9deb8ce54c721cbd6b0a60ed260a2a1494ce621b7d7a5373b29bf93750fbfbd20bd1d6a10e7d13c79ad6f67e704db9121222b5fcb739d3f24df5b93074fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\agqekuv.exe

Filesize
391KB

MD5
a987f7d056f1271d599370b95c97b125

SHA1
6e3c205bbb2b329ab148aa80800a1256e5a01264

SHA256
82544db74701fd7b40d77abdbd4232d702840f701ed8a009077049d64a5af4ca

SHA512
ead9deb8ce54c721cbd6b0a60ed260a2a1494ce621b7d7a5373b29bf93750fbfbd20bd1d6a10e7d13c79ad6f67e704db9121222b5fcb739d3f24df5b93074fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\fomefav.exe

Filesize
641KB

MD5
7be3f9f88aba09e231e95eee3829ef83

SHA1
f4e8c5544589cf1ed16fcaede4e0a2f84c2355ce

SHA256
5033d3e0571b122aaad50352a6dea052feb52741ff83673f37c29c5618942204

SHA512
8241b4817a84d85d41f177517443393b041adf96ccf5ae2fa49d157cdbd5b1b9f1d02684dc490af819642c0e222ce380db89653caecdb0a02ef284bd2121b590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fomefav.exe

Filesize
641KB

MD5
7be3f9f88aba09e231e95eee3829ef83

SHA1
f4e8c5544589cf1ed16fcaede4e0a2f84c2355ce

SHA256
5033d3e0571b122aaad50352a6dea052feb52741ff83673f37c29c5618942204

SHA512
8241b4817a84d85d41f177517443393b041adf96ccf5ae2fa49d157cdbd5b1b9f1d02684dc490af819642c0e222ce380db89653caecdb0a02ef284bd2121b590

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
521b407f6d6587858c98f29836605b4f

SHA1
c90b05e9eb8b9f4f499f4b26c6fafed3630fe9dc

SHA256
f284d0ca30e201987438b0a26d73f8242e949fb1fb8b45dc81f6f3345e88f467

SHA512
19e0ead3e0a93af51f70c265de2b35d6037921c202c8e3bbf9ede780c219603c8c99d0e10908eee747c1d2820f69d9f9fa28eb0635f3d4ba5e7230e10322efa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp

Filesize
649KB

MD5
83e118b9d32688c27a18c34097632704

SHA1
ba9ae90a64938a19cf6e3f6a17691fcc1286b331

SHA256
37a2f84577937338117b613f42addb47228e6c7ed3285e076f561618ba4bc7e2

SHA512
35d6079972f08192bd37bea4258ccc3bd62d96ba98de83b774572400177d21cb5479f42d9d7889c4c5bb212f633be1070daa6a0524a1f8da1a1df1527046a34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22D.tmp

Filesize
649KB

MD5
83e118b9d32688c27a18c34097632704

SHA1
ba9ae90a64938a19cf6e3f6a17691fcc1286b331

SHA256
37a2f84577937338117b613f42addb47228e6c7ed3285e076f561618ba4bc7e2

SHA512
35d6079972f08192bd37bea4258ccc3bd62d96ba98de83b774572400177d21cb5479f42d9d7889c4c5bb212f633be1070daa6a0524a1f8da1a1df1527046a34a

Download Submit
memory/1936-138-0x0000000000000000-mapping.dmp

Download
memory/1936-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2296-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2296-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3244-141-0x0000000000000000-mapping.dmp

Download
memory/3548-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-133-0x0000000000000000-mapping.dmp

Download
memory/4972-146-0x0000000000000000-mapping.dmp

Download
memory/4972-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4972-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download