21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da

Analysis

max time kernel
159s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe
Size

600KB
MD5

46007898edda62aa7e0fc39c57e5fe90
SHA1

7efc2f85849c9b0f0912d22a4b6a7cd48ef0ddc1
SHA256

21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da
SHA512

2d8f84a945b5ca7ff57577709156764b80ee9988f85f77cafbd130643935b729361d60434f8ebcd7d53655bec5c3a09fcaf5c9cd0e89fd4dda47cec0bee82e56
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

poijhya.exe~DFA24A.tmpqoduibl.exe

pid process

4876 poijhya.exe
1372 ~DFA24A.tmp
3188 qoduibl.exe

pid	process
4876	poijhya.exe
1372	~DFA24A.tmp
3188	qoduibl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe~DFA24A.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA24A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

qoduibl.exe

pid	process
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe
3188	qoduibl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA24A.tmp

description pid process

Token: SeDebugPrivilege 1372 ~DFA24A.tmp

description	pid	process
Token: SeDebugPrivilege	1372	~DFA24A.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exepoijhya.exe~DFA24A.tmp

description	pid	process	target process
PID 4824 wrote to memory of 4876	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	poijhya.exe
PID 4824 wrote to memory of 4876	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	poijhya.exe
PID 4824 wrote to memory of 4876	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	poijhya.exe
PID 4876 wrote to memory of 1372	4876	poijhya.exe	~DFA24A.tmp
PID 4876 wrote to memory of 1372	4876	poijhya.exe	~DFA24A.tmp
PID 4876 wrote to memory of 1372	4876	poijhya.exe	~DFA24A.tmp
PID 4824 wrote to memory of 4540	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	cmd.exe
PID 4824 wrote to memory of 4540	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	cmd.exe
PID 4824 wrote to memory of 4540	4824	21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe	cmd.exe
PID 1372 wrote to memory of 3188	1372	~DFA24A.tmp	qoduibl.exe
PID 1372 wrote to memory of 3188	1372	~DFA24A.tmp	qoduibl.exe
PID 1372 wrote to memory of 3188	1372	~DFA24A.tmp	qoduibl.exe

C:\Users\Admin\AppData\Local\Temp\21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe
"C:\Users\Admin\AppData\Local\Temp\21c506e618fe07f4b369d1401a2ac5294408b1efbb1dae44c5cbafc6ea27e7da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\poijhya.exe
  C:\Users\Admin\AppData\Local\Temp\poijhya.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\qoduibl.exe
      "C:\Users\Admin\AppData\Local\Temp\qoduibl.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
d3e0c2aee919583dfdc4f2bb80afc588

SHA1
26a0d4d7e957d9689a85b0a3548af110799c69da

SHA256
ffc8c99f1241bf6455f3f7b1ade9c9f53c87341006f7785362fb097d32a253c5

SHA512
011ab3259993911e6a88432937d65ad7dfe17d45f38aba7ce38943cf1b62c5fb7c9f68053102602d60b1733945972674f950521e0560b175d64bd3889a52b0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e23db8f81fec88831c3316f6761c6e01

SHA1
5f0f0a7b89231c7679226c6ede23e1aa21d698fa

SHA256
5b5df162d10d3a24cc97248e2fc940550cea7dd7a1f77494b305b589d46511e9

SHA512
01543feae8ec6c09281713f0dc78074f1b5651af92ce5296e9dc524524331466dd146d0a91c878c7b670bae7641aacfc4ec5d5bf118ffcc0cb019bf8f6c9aa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\poijhya.exe

Filesize
606KB

MD5
15b7111b6244a515ba1b5fbb85bc7670

SHA1
4ebc1db76add2428e44be026b0eb9463c7e3628c

SHA256
cba32ac904c44f10bec8c156f8ab0d40c925e5227e4f04adaafc314432f8e606

SHA512
c51d80d20a378c140fb76ebc63ac7c88c4f6cfd29245b72a14f4f18703aa3d09a0bdbfdbb2e834a8355412de6ee35c458154c4e0ac52a1d412b6bfc7e278e51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\poijhya.exe

Filesize
606KB

MD5
15b7111b6244a515ba1b5fbb85bc7670

SHA1
4ebc1db76add2428e44be026b0eb9463c7e3628c

SHA256
cba32ac904c44f10bec8c156f8ab0d40c925e5227e4f04adaafc314432f8e606

SHA512
c51d80d20a378c140fb76ebc63ac7c88c4f6cfd29245b72a14f4f18703aa3d09a0bdbfdbb2e834a8355412de6ee35c458154c4e0ac52a1d412b6bfc7e278e51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoduibl.exe

Filesize
413KB

MD5
17c931af22dae0379f39520d29cbfff3

SHA1
ee18d10469b64bcd6d6a6ce569b23234cee4644e

SHA256
df2984400cb68874fa955882b914d1b5e27650bb9d57ebfa0b4427981e0e608d

SHA512
25d735017065777dc1405f5cd19bbbeb3da770c68fb3eca4aaed7fcbd03cd13e93ae24c9f3af739e683e271c6bb747ca8e77c69110eb3f2864b3c7344b62de76

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoduibl.exe

Filesize
413KB

MD5
17c931af22dae0379f39520d29cbfff3

SHA1
ee18d10469b64bcd6d6a6ce569b23234cee4644e

SHA256
df2984400cb68874fa955882b914d1b5e27650bb9d57ebfa0b4427981e0e608d

SHA512
25d735017065777dc1405f5cd19bbbeb3da770c68fb3eca4aaed7fcbd03cd13e93ae24c9f3af739e683e271c6bb747ca8e77c69110eb3f2864b3c7344b62de76

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp

Filesize
612KB

MD5
5b615a2d1ddeb5fdf00524a482715616

SHA1
aad3e2b41fb41c4ed028dd18059d75065c3b10fe

SHA256
1da5f66b3fd7b342311eda47006700217357d8e7ab917046bfdcf8fc485ba82d

SHA512
c480042c043be9f7349c59ef45376977f00ee1bcb17137a2c88446cfeb18d96458afa8d5e344ce5f415576b303e04e36bf5fbadb8e8f8942d59d8ef980918031

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA24A.tmp

Filesize
612KB

MD5
5b615a2d1ddeb5fdf00524a482715616

SHA1
aad3e2b41fb41c4ed028dd18059d75065c3b10fe

SHA256
1da5f66b3fd7b342311eda47006700217357d8e7ab917046bfdcf8fc485ba82d

SHA512
c480042c043be9f7349c59ef45376977f00ee1bcb17137a2c88446cfeb18d96458afa8d5e344ce5f415576b303e04e36bf5fbadb8e8f8942d59d8ef980918031

Download Submit
memory/1372-138-0x0000000000000000-mapping.dmp

Download
memory/1372-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3188-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3188-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3188-146-0x0000000000000000-mapping.dmp

Download
memory/4540-141-0x0000000000000000-mapping.dmp

Download
memory/4824-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4824-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4876-133-0x0000000000000000-mapping.dmp

Download