75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
Size

654KB
MD5

46627d964f330fc382a8266ed7720380
SHA1

0e298f50a7106f8b2152aecb316ead61033bed39
SHA256

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab
SHA512

778e6cff3dde31cfd50e39fb11b1020b259b25f5fb371531d98026f09953490be7f001e3334a77666499fa3027d4b486f892d470a58bfe3bc75b403755bedda2
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

egvaaj.exe~DFA259.tmpitmube.exe

pid process

1628 egvaaj.exe
3408 ~DFA259.tmp
4268 itmube.exe

pid	process
1628	egvaaj.exe
3408	~DFA259.tmp
4268	itmube.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe~DFA259.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA259.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

itmube.exe

pid	process
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe
4268	itmube.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA259.tmp

description pid process

Token: SeDebugPrivilege 3408 ~DFA259.tmp

description	pid	process
Token: SeDebugPrivilege	3408	~DFA259.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exeegvaaj.exe~DFA259.tmp

description	pid	process	target process
PID 3300 wrote to memory of 1628	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	egvaaj.exe
PID 3300 wrote to memory of 1628	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	egvaaj.exe
PID 3300 wrote to memory of 1628	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	egvaaj.exe
PID 1628 wrote to memory of 3408	1628	egvaaj.exe	~DFA259.tmp
PID 1628 wrote to memory of 3408	1628	egvaaj.exe	~DFA259.tmp
PID 1628 wrote to memory of 3408	1628	egvaaj.exe	~DFA259.tmp
PID 3300 wrote to memory of 1036	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 3300 wrote to memory of 1036	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 3300 wrote to memory of 1036	3300	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 3408 wrote to memory of 4268	3408	~DFA259.tmp	itmube.exe
PID 3408 wrote to memory of 4268	3408	~DFA259.tmp	itmube.exe
PID 3408 wrote to memory of 4268	3408	~DFA259.tmp	itmube.exe

C:\Users\Admin\AppData\Local\Temp\75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
"C:\Users\Admin\AppData\Local\Temp\75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\egvaaj.exe
C:\Users\Admin\AppData\Local\Temp\egvaaj.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\itmube.exe
"C:\Users\Admin\AppData\Local\Temp\itmube.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
5a227f15087a52036f5d875768c82061

SHA1
098df470f169161c931055c75009240859647794

SHA256
3a7761ed65350b6b4afa65e414f8d030468ad96192bd58109063d3ef8328848a

SHA512
5be9272c7cc97e185fb8f51f3db002f008c81531a0564907f3955bcd87da90f9cc3bb7602101c11435ee3aaa70c23f117881bf804cae78ae80616b74c8bccbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\egvaaj.exe
Filesize
662KB

MD5
c237d1eaa680baa422b6eab32e895d28

SHA1
d8b5a7335399076804f6633bb7443dd36be283c3

SHA256
abd12760677118f3718fb2095df432ee116b74a845678414a5f954e413ac88ef

SHA512
71ca565c4ab1d92ff50f2ba8579818b689f1b8bb19fd1a185da93bd06835bd4066f7cadf0f9a429579ea2ff3a638b6cc7cc3f4ee2650a324832b79bab864d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\egvaaj.exe
Filesize
662KB

MD5
c237d1eaa680baa422b6eab32e895d28

SHA1
d8b5a7335399076804f6633bb7443dd36be283c3

SHA256
abd12760677118f3718fb2095df432ee116b74a845678414a5f954e413ac88ef

SHA512
71ca565c4ab1d92ff50f2ba8579818b689f1b8bb19fd1a185da93bd06835bd4066f7cadf0f9a429579ea2ff3a638b6cc7cc3f4ee2650a324832b79bab864d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
dd91643e7fc83fed86dde7971fd62d7f

SHA1
989540483e4267e8382bb196f4c252e6df5274a8

SHA256
cfd4ad186dfb1bdef8f42dd7308364796549234ac12d57a170ae7b0967574a76

SHA512
aadeb99c0364fa619b57397a727fdd2ee2930a987a3fec72b40ba9886c5d02a7f4fd42ee7f72817a06b41711707ed942d5aa815865ac4b498439bd973072ac14

Download Submit
C:\Users\Admin\AppData\Local\Temp\itmube.exe
Filesize
379KB

MD5
e1e83e1a24e84aef31ad781532f1bf3c

SHA1
9df6cb71a52d239ce872bc410873363a1d956c0b

SHA256
31c6b79c0cf3c74693845969d7eb60ff9c2592c3e82d0de77c8de80f50c8aa6d

SHA512
db1ff1f29164ad75b542988b503d9746a6f36c267728a0d436e9487f247e7150599931f1ef86753ee0b3762d5da1b31660e456edd64029c54bd29da589020611

Download Submit
C:\Users\Admin\AppData\Local\Temp\itmube.exe
Filesize
379KB

MD5
e1e83e1a24e84aef31ad781532f1bf3c

SHA1
9df6cb71a52d239ce872bc410873363a1d956c0b

SHA256
31c6b79c0cf3c74693845969d7eb60ff9c2592c3e82d0de77c8de80f50c8aa6d

SHA512
db1ff1f29164ad75b542988b503d9746a6f36c267728a0d436e9487f247e7150599931f1ef86753ee0b3762d5da1b31660e456edd64029c54bd29da589020611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp
Filesize
664KB

MD5
575271c4240e1798b99c6371f4900114

SHA1
b897693a18e1249b83bc6c5553908045aec97f9f

SHA256
293d059813b8b529171ce208e96db76a584f78c694907ff9f0eca53fb9b793d3

SHA512
c3bda1b97a512c069386777dd7fdc55e30a451823fe97649b80790c4296f8b8eebc1afdb3442e5d76007b67ed9cab28a3a1f4fb989e9fb748a0d05e9a2e8df1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp
Filesize
664KB

MD5
575271c4240e1798b99c6371f4900114

SHA1
b897693a18e1249b83bc6c5553908045aec97f9f

SHA256
293d059813b8b529171ce208e96db76a584f78c694907ff9f0eca53fb9b793d3

SHA512
c3bda1b97a512c069386777dd7fdc55e30a451823fe97649b80790c4296f8b8eebc1afdb3442e5d76007b67ed9cab28a3a1f4fb989e9fb748a0d05e9a2e8df1d

Download Submit
memory/1036-145-0x0000000000000000-mapping.dmp

Download
memory/1628-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1628-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1628-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/3300-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3300-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3300-133-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3408-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3408-140-0x0000000000000000-mapping.dmp

Download
memory/3408-148-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4268-149-0x0000000000000000-mapping.dmp

Download
memory/4268-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download