563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e

Analysis

max time kernel
165s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
Size

681KB
MD5

43f848f66c1e8da2e45a86f0372cdde0
SHA1

c8a6bf91e77dd6da6c9c95b8610dafd72c07da1e
SHA256

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e
SHA512

5587a0b15f7be60ceae6218e785c0e857f1cb8cb9b398818206fd6d9f9ec5f7438747a9177b905dd26c914792cdaeffaa0ca84e24b6502d62b963c47816fb9e1
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

wytyyrs.exe~DFA254.tmptoersis.exe

pid process

864 wytyyrs.exe
4028 ~DFA254.tmp
1876 toersis.exe

pid	process
864	wytyyrs.exe
4028	~DFA254.tmp
1876	toersis.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe~DFA254.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	~DFA254.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

toersis.exe

pid	process
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe
1876	toersis.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA254.tmp

description pid process

Token: SeDebugPrivilege 4028 ~DFA254.tmp

description	pid	process
Token: SeDebugPrivilege	4028	~DFA254.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exewytyyrs.exe~DFA254.tmp

description	pid	process	target process
PID 5100 wrote to memory of 864	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	wytyyrs.exe
PID 5100 wrote to memory of 864	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	wytyyrs.exe
PID 5100 wrote to memory of 864	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	wytyyrs.exe
PID 864 wrote to memory of 4028	864	wytyyrs.exe	~DFA254.tmp
PID 864 wrote to memory of 4028	864	wytyyrs.exe	~DFA254.tmp
PID 864 wrote to memory of 4028	864	wytyyrs.exe	~DFA254.tmp
PID 5100 wrote to memory of 2828	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 5100 wrote to memory of 2828	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 5100 wrote to memory of 2828	5100	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 4028 wrote to memory of 1876	4028	~DFA254.tmp	toersis.exe
PID 4028 wrote to memory of 1876	4028	~DFA254.tmp	toersis.exe
PID 4028 wrote to memory of 1876	4028	~DFA254.tmp	toersis.exe

C:\Users\Admin\AppData\Local\Temp\563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
"C:\Users\Admin\AppData\Local\Temp\563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\wytyyrs.exe
C:\Users\Admin\AppData\Local\Temp\wytyyrs.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\~DFA254.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA254.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\toersis.exe
"C:\Users\Admin\AppData\Local\Temp\toersis.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
d59e6dfc409c78c91d4c2736078f11c2

SHA1
0839ca5c96e9d5efdbc26bba99d238ad274b2411

SHA256
d4c88884ffb3aea795e974c38c08f2db2b1df0e0346fcb036897ac42bcd62849

SHA512
05f069f7265fe21dc4f4fe54cbb7c5a62854c49e0bbe9069a13333dda55c42311512ac4d0780b1735a61f48ec629dffa938494a604a9d0f93f883c6e3b811e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
6faae78c63a41ffd9872a75e1b9aa2cc

SHA1
0122fb700a3e0cfb0e1c6505926397bc52f810b8

SHA256
adc05fa291f097dd8a529251cd1bedfe0e462b7c3848921eb7f5f67dfa8ce138

SHA512
4e62de026c1f1ce907de7a194dc7ab1fed98d9c5bdb0131d577d35b690034bf06c59e915cd4fa481743858a7f0a1b400b9711ad2bdd82c30ef36815d00239990

Download Submit
C:\Users\Admin\AppData\Local\Temp\toersis.exe
Filesize
371KB

MD5
c8369972970e769952356b2e466f8565

SHA1
0f2d819dbb89bc06c4d7086db5100ec9ef30a718

SHA256
833886f0d3aed09ebb06a33d8994cb525a6c6e5ec10909e0d3b4b4c7212f7218

SHA512
e284f842a9247dfb7ec5bcd101c455608527a33c6f4deff4410433909046ba39ed6bf9351f20a5d223fcad318d96f43a35027f53d7d5e3335ef7408bfea0b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\toersis.exe
Filesize
371KB

MD5
c8369972970e769952356b2e466f8565

SHA1
0f2d819dbb89bc06c4d7086db5100ec9ef30a718

SHA256
833886f0d3aed09ebb06a33d8994cb525a6c6e5ec10909e0d3b4b4c7212f7218

SHA512
e284f842a9247dfb7ec5bcd101c455608527a33c6f4deff4410433909046ba39ed6bf9351f20a5d223fcad318d96f43a35027f53d7d5e3335ef7408bfea0b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\wytyyrs.exe
Filesize
686KB

MD5
f78a484f90697ce1864f964c4f9d62aa

SHA1
caba47e93dec4bfad0b0649fc5586de1ea28f12e

SHA256
e282fa8af0c37eb588dff64449a256d53c3a71433a1fba917fac7ccc494a607b

SHA512
98986cfc0dccc146a3122c060d957bf59138ced1f092445a2d7ae8121a8232db952931e2563b2722b9bfd82eb92b6287f7dbd946146f845d176cbfe5e7f42917

Download Submit
C:\Users\Admin\AppData\Local\Temp\wytyyrs.exe
Filesize
686KB

MD5
f78a484f90697ce1864f964c4f9d62aa

SHA1
caba47e93dec4bfad0b0649fc5586de1ea28f12e

SHA256
e282fa8af0c37eb588dff64449a256d53c3a71433a1fba917fac7ccc494a607b

SHA512
98986cfc0dccc146a3122c060d957bf59138ced1f092445a2d7ae8121a8232db952931e2563b2722b9bfd82eb92b6287f7dbd946146f845d176cbfe5e7f42917

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA254.tmp
Filesize
693KB

MD5
1fca57727ea3e35bddc93a5761838302

SHA1
7073ca47e053ea98916267f5869f4c6c311f1b5f

SHA256
b66be39ddb9a5c59365a1a6dc2b79780033b1a58832c04b37c6325a802ab9fd6

SHA512
daa4fc5a7a4c472125aa7a38614a52e232fa2a387407c572a65196131020a8550ce947fcf1a6fe1cf890e4f860f50fcc2da8f454a1e50da83a182f6dcd4328b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA254.tmp
Filesize
693KB

MD5
1fca57727ea3e35bddc93a5761838302

SHA1
7073ca47e053ea98916267f5869f4c6c311f1b5f

SHA256
b66be39ddb9a5c59365a1a6dc2b79780033b1a58832c04b37c6325a802ab9fd6

SHA512
daa4fc5a7a4c472125aa7a38614a52e232fa2a387407c572a65196131020a8550ce947fcf1a6fe1cf890e4f860f50fcc2da8f454a1e50da83a182f6dcd4328b0

Download Submit
memory/864-133-0x0000000000000000-mapping.dmp

Download
memory/864-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/864-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1876-147-0x0000000000000000-mapping.dmp

Download
memory/1876-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-144-0x0000000000000000-mapping.dmp

Download
memory/4028-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4028-139-0x0000000000000000-mapping.dmp

Download
memory/5100-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5100-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5100-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download