58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Size

685KB
MD5

95b51c28ce2f926b597bdf572250cd90
SHA1

18bece471bcd283e76c7e28c3c6a5eda59b20d8f
SHA256

58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423
SHA512

93008f0d344a71e5e9f357e8b90d5a0e7d925c596549f346df9e0b82d96a984e98bde0147bcb4a7b104bab620322336686ab97061c425183d91367c89b7415ec
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
256	sumicey.exe
224	~DFA241.tmp
848	evgezey.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA241.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe
848	evgezey.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	~DFA241.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 256	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	80
PID 2544 wrote to memory of 256	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	80
PID 2544 wrote to memory of 256	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	80
PID 256 wrote to memory of 224	256	sumicey.exe	81
PID 256 wrote to memory of 224	256	sumicey.exe	81
PID 256 wrote to memory of 224	256	sumicey.exe	81
PID 2544 wrote to memory of 3152	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	82
PID 2544 wrote to memory of 3152	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	82
PID 2544 wrote to memory of 3152	2544	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	82
PID 224 wrote to memory of 848	224	~DFA241.tmp	86
PID 224 wrote to memory of 848	224	~DFA241.tmp	86
PID 224 wrote to memory of 848	224	~DFA241.tmp	86

C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
"C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\sumicey.exe
  C:\Users\Admin\AppData\Local\Temp\sumicey.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:256
- - C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\evgezey.exe
      "C:\Users\Admin\AppData\Local\Temp\evgezey.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
12c73c2dd7c93f9ec2cf31e3cf281cad

SHA1
89d568ae53426e646438e65d7cb143198aaa2177

SHA256
b7844fc53a2e3a1b7d556a889350f817735ce24979dcfb3993cfa75f191509a4

SHA512
100084c08a23c5c4da2502ba745504747e2d32714c6eb50a90a78e4e6abccac5b97e10bac719784b66406cefd34584ba47b802c28be10f172230ea39d636a90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\evgezey.exe

Filesize
408KB

MD5
dc1be1b5c039eae0b396cfddaa7614f2

SHA1
34f1747652b7717650c8004ef0695f90a97a72b9

SHA256
cef156ea9ce1b50a04ddb602c43a7b96bf70af4202d44edaa28c41057dc7f23e

SHA512
01c0785863a9a9de049649f09ccdaf1eb9f139a2dcdd9c7a49d967d214afb61324abe6c3196e61cef7614ba0ffc04fd9ccc23fab39a2c9103de72a3b0104fa2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evgezey.exe

Filesize
408KB

MD5
dc1be1b5c039eae0b396cfddaa7614f2

SHA1
34f1747652b7717650c8004ef0695f90a97a72b9

SHA256
cef156ea9ce1b50a04ddb602c43a7b96bf70af4202d44edaa28c41057dc7f23e

SHA512
01c0785863a9a9de049649f09ccdaf1eb9f139a2dcdd9c7a49d967d214afb61324abe6c3196e61cef7614ba0ffc04fd9ccc23fab39a2c9103de72a3b0104fa2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6faada61308f1a6914e502d0b69cb4fd

SHA1
987dee6beb0d10a14fd23e84360743c545f0bdfb

SHA256
940abc4b2be043bab1fde1a821150a09811bde6090eb45d284dcb0a26e4a5790

SHA512
5c06d49f4f6a093f2e4caeb80056315304c18c6904967fc47267e8a342ac2d5708d2b3defa1a780ee28efff808c8c4e57a26fabe6a4dc53f429c6eda0770f8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumicey.exe

Filesize
692KB

MD5
869ee54f2c59ef25b1f3345a0b652e89

SHA1
a229f1dffd9004c6d794026d99e48934efb3e575

SHA256
820e56f7cdaac68699130ba2b6343b51e88046684936db41ef5e1982b169b68c

SHA512
819dba3a90c188585a832e3eeb232b37fb5f5646b246a40f056c553a38ca0549d743dd2b5eebb43786efc921c59eb450acd3354a6e376611dae9bef72ae1448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumicey.exe

Filesize
692KB

MD5
869ee54f2c59ef25b1f3345a0b652e89

SHA1
a229f1dffd9004c6d794026d99e48934efb3e575

SHA256
820e56f7cdaac68699130ba2b6343b51e88046684936db41ef5e1982b169b68c

SHA512
819dba3a90c188585a832e3eeb232b37fb5f5646b246a40f056c553a38ca0549d743dd2b5eebb43786efc921c59eb450acd3354a6e376611dae9bef72ae1448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp

Filesize
699KB

MD5
83594760b8f64d374372cb26ca7e078b

SHA1
6ae3da5579b7c9c8963862ff3a2f2404c9d5d784

SHA256
dd8340de7b6f7de800b223e2399529c9792a24de6f019d6c7b5844a7d843d541

SHA512
faedc9beed0a516fe5530d82be69d5d62efab0600fc90d104ed1e4925464c338ad6646c10b624ac5eea674017022cd351562d85bffab6f969136fdd200edc806

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmp

Filesize
699KB

MD5
83594760b8f64d374372cb26ca7e078b

SHA1
6ae3da5579b7c9c8963862ff3a2f2404c9d5d784

SHA256
dd8340de7b6f7de800b223e2399529c9792a24de6f019d6c7b5844a7d843d541

SHA512
faedc9beed0a516fe5530d82be69d5d62efab0600fc90d104ed1e4925464c338ad6646c10b624ac5eea674017022cd351562d85bffab6f969136fdd200edc806

Download Submit
memory/224-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/224-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/256-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/848-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2544-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2544-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2544-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download