b060f8e8f97c6829ae27a5f8eb1fbc18bde4d5e7fbaee62fd117d9e6336fc223

General

Target

8d2eb7a1b4f09cb215c091bb568c63af.exe
Size

521KB
MD5

8d2eb7a1b4f09cb215c091bb568c63af
SHA1

a7038bbdbf159a6fc163d43df3688a26fba52299
SHA256

b060f8e8f97c6829ae27a5f8eb1fbc18bde4d5e7fbaee62fd117d9e6336fc223
SHA512

86346d31a9cc8b3840296101a827b54063d093636f5b1ebaaee297f0c50fb8203e0c893c2824707393738991febc41f2d7b63f63d8506d00ef40a13d530c6ce1
SSDEEP

12288:2pR3MqWOKw7yWMJFLubMNfntcanU+SH7:iR84fmX8ItHnXI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	8d2eb7a1b4f09cb215c091bb568c63af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	~DFA259.tmp

Executes dropped EXE 3 IoCs

pid	Process
1132	ybkibem.exe
868	~DFA259.tmp
552	loviwom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe
552	loviwom.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	~DFA259.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1132	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	84
PID 1868 wrote to memory of 1132	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	84
PID 1868 wrote to memory of 1132	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	84
PID 1132 wrote to memory of 868	1132	ybkibem.exe	85
PID 1132 wrote to memory of 868	1132	ybkibem.exe	85
PID 1132 wrote to memory of 868	1132	ybkibem.exe	85
PID 1868 wrote to memory of 3496	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	87
PID 1868 wrote to memory of 3496	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	87
PID 1868 wrote to memory of 3496	1868	8d2eb7a1b4f09cb215c091bb568c63af.exe	87
PID 868 wrote to memory of 552	868	~DFA259.tmp	96
PID 868 wrote to memory of 552	868	~DFA259.tmp	96
PID 868 wrote to memory of 552	868	~DFA259.tmp	96

C:\Users\Admin\AppData\Local\Temp\8d2eb7a1b4f09cb215c091bb568c63af.exe
"C:\Users\Admin\AppData\Local\Temp\8d2eb7a1b4f09cb215c091bb568c63af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\ybkibem.exe
  C:\Users\Admin\AppData\Local\Temp\ybkibem.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\loviwom.exe
      "C:\Users\Admin\AppData\Local\Temp\loviwom.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
277B

MD5
dfcea2f532603b1e868b5b9f648e488a

SHA1
56917f6fe6300005cc419c98605e6df86b792062

SHA256
ceb3703eeba6f910391eb05925671da5c10bfcbd7076066a6a52b43c89c56a47

SHA512
f2dbcca0fdffc4c7feb5c999a7f927fa6e82e29930a653eac064a33ef1e04c0425029052ea510944cfb479d7fca5568c7d819a27b4ee0ab50d107378e39e331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a1a71e3e4a06cbc4bf0bd078caf4ea4e

SHA1
5da1948322aa5f3e3c71c586c9e51261eaad6a46

SHA256
6170f87fca316d94adf4bbd4e29477cccf4d62e6b7be8f26f5c2ed4442b75cdb

SHA512
9b0e1ce3ed9f547686b948104031e29b2594d044ade57b4f0b46f0388c3942393299157e0c63bd19c6172948531336742b64bbaee89cd47bc4ae8aadb66f2eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\loviwom.exe

Filesize
398KB

MD5
7f0e68ce3eada579503a193d14ed9db3

SHA1
fd619097f64ff0560de2e1a10d2347eeda973b90

SHA256
14cc3c4e796a41faf67f64d2bcd3ac57c255195a8242de35aafdd3c94d3ad5bb

SHA512
951c98cbc0e0d25c6c41b3b7f48225d05132eea9d8a94d377fc65d7331c03ad193f61725e9f337974c9b18fb9397d4507ef2389cd19f0143482fcad66b004487

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybkibem.exe

Filesize
523KB

MD5
f4cc5da0532756dde6932ee3309441ac

SHA1
06e8d8bb0244a2e64adc6820dbf484ad2a322afd

SHA256
7638925ab2385d239c6e52ff475a52765f08214ab8c49cd042284d1cdb31e82c

SHA512
a058ae37a58d11e6853f426353cbe4765b004e860ad76308ee25fbe722fced5e0b2851c99be6e05cdb1054b84fec4d8eaf44afd22394692f5896bff91c484fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA259.tmp

Filesize
525KB

MD5
f2b0dae19aba8663d4613d772f22a4b4

SHA1
ba44713416cf105badab81b8f7ebbe6fd1247582

SHA256
33610e8bdfe751845a5e699d2d129895cc9756aaff22d334d0711a451fef6238

SHA512
2ceea3682e0a187966c0dcc57ff5b7c89e9b39d6fd840027a3e3e1735421a66cba51877750d64d427bd6c54849400914050c4fed5220171ac74691492b773e9e

Download Submit
memory/552-37-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/552-44-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/552-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/552-38-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/552-36-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/868-14-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/868-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/868-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1132-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1868-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1868-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing