66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
Size

477KB
MD5

6987e9b81baccbb1dee2feff78dee9d0
SHA1

018411350364a911a5022355e0de7aa532ab249e
SHA256

66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c
SHA512

5657e7b25bf72a08bce0eaf875193c8f14e20841cb4cb054fe87b9c6ba5c489f62d8dcdd20f97ed9a7719cea0a9e31edcb2743bde7e7654a1a2726d2d8a01316
SSDEEP

12288:9PTveekpmU2GxQA5dZWkZK6nPqM+WcD4ellNrr/w:9I24QAhWhWMHD4MlNHw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4904	ebzob.exe
3804	royjv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ebzob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe
3804	royjv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4904	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	82
PID 5072 wrote to memory of 4904	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	82
PID 5072 wrote to memory of 4904	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	82
PID 5072 wrote to memory of 4336	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	83
PID 5072 wrote to memory of 4336	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	83
PID 5072 wrote to memory of 4336	5072	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	83
PID 4904 wrote to memory of 3804	4904	ebzob.exe	93
PID 4904 wrote to memory of 3804	4904	ebzob.exe	93
PID 4904 wrote to memory of 3804	4904	ebzob.exe	93

C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
"C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\ebzob.exe
  "C:\Users\Admin\AppData\Local\Temp\ebzob.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\royjv.exe
    "C:\Users\Admin\AppData\Local\Temp\royjv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c8dfed3e6f1f85f6187468df9a969ed5

SHA1
60f3e21aff4c99c4cd370b8605b8e0c0df475915

SHA256
6e02b80c26399e417a1823fe39edba9a86a4cd674f9f3f516a8b4a03a0b579b1

SHA512
f16453658c359b882b96c2a21f57ad2b09e731c1d5d2dbaed80b3ed2666b2007f591ece1eb28387abcd526b739f89b2b3cd821cf0cca5a313bb5860f4720c22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebzob.exe

Filesize
477KB

MD5
a2fc2bbb2a198377b61dfe21d7da777b

SHA1
76e5b737370c05a6c9f678116567348812e32906

SHA256
716123837dad836c3bbe760d57a79a3eb25a4e7718cf59b4bd716d19065c8ac5

SHA512
0aadc18d11e7e9bffdab3b4e2c373ce39843fbf958c3e4a3301d7e01ccd2671d94100208392ec4675c7370c9d54d51a1ea12831b5786b38a8a00d9e80643302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebzob.exe

Filesize
477KB

MD5
a2fc2bbb2a198377b61dfe21d7da777b

SHA1
76e5b737370c05a6c9f678116567348812e32906

SHA256
716123837dad836c3bbe760d57a79a3eb25a4e7718cf59b4bd716d19065c8ac5

SHA512
0aadc18d11e7e9bffdab3b4e2c373ce39843fbf958c3e4a3301d7e01ccd2671d94100208392ec4675c7370c9d54d51a1ea12831b5786b38a8a00d9e80643302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
473c00bb6440ea206732f4d43911a7f6

SHA1
314828c7825e8354dea4f2722482d2432ffa540d

SHA256
7388e76a573e3f18daa858e3579bbbe7dddbeb56113fc1b08125210b8ab5ba6d

SHA512
d1a1139a30846a564727d1ade0b8d12cb799d1c6d3ba4b7390c54a9e12f3d87ed6f4ced6073274c18405dadfc10b35fde398f933d9e8d5d6f131398d3df7da34

Download Submit
C:\Users\Admin\AppData\Local\Temp\royjv.exe

Filesize
236KB

MD5
60a11ef738d21c85d3a63136716c6e13

SHA1
0e78a704afdbc48aff6adee7bee7a53b0f529cb6

SHA256
a131da9b165d2b71d661ca1210675ed869cbd639cb87b38290cfb72f95949af7

SHA512
353d95143060f223dfe0493ac738ee1145ea277cec7d3a21a77d5967977c253fcaa9410075346da06620c8d22f3696644e539687f5184c514c021412a021bb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\royjv.exe

Filesize
236KB

MD5
60a11ef738d21c85d3a63136716c6e13

SHA1
0e78a704afdbc48aff6adee7bee7a53b0f529cb6

SHA256
a131da9b165d2b71d661ca1210675ed869cbd639cb87b38290cfb72f95949af7

SHA512
353d95143060f223dfe0493ac738ee1145ea277cec7d3a21a77d5967977c253fcaa9410075346da06620c8d22f3696644e539687f5184c514c021412a021bb33

Download Submit
memory/3804-146-0x0000000000D10000-0x0000000000DB3000-memory.dmp

Filesize
652KB

Download
memory/4904-138-0x0000000000900000-0x000000000098C000-memory.dmp

Filesize
560KB

Download
memory/4904-141-0x0000000000900000-0x000000000098C000-memory.dmp

Filesize
560KB

Download
memory/4904-145-0x0000000000900000-0x000000000098C000-memory.dmp

Filesize
560KB

Download
memory/5072-132-0x00000000003E0000-0x000000000046C000-memory.dmp

Filesize
560KB

Download
memory/5072-137-0x00000000003E0000-0x000000000046C000-memory.dmp

Filesize
560KB

Download