f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
Size

697KB
MD5

66465db7589d8b70c6b219fcdaf54410
SHA1

448c8fad294662a1c1e3e26f96c3eacebe8880d5
SHA256

f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e
SHA512

1fa2dff948c872ce66fb74f7cfd9c9db3edcbef70100300c7fb20c8ee2514314e71e324d0e363c6430be317f1b01611bf25e8c95fd98dc349bed925c1da5f26e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3436	uqkipot.exe
2332	~DFA22B.tmp
1088	rufugyg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA22B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe
1088	rufugyg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	~DFA22B.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3436	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	82
PID 4504 wrote to memory of 3436	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	82
PID 4504 wrote to memory of 3436	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	82
PID 3436 wrote to memory of 2332	3436	uqkipot.exe	83
PID 3436 wrote to memory of 2332	3436	uqkipot.exe	83
PID 3436 wrote to memory of 2332	3436	uqkipot.exe	83
PID 4504 wrote to memory of 5028	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	84
PID 4504 wrote to memory of 5028	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	84
PID 4504 wrote to memory of 5028	4504	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	84
PID 2332 wrote to memory of 1088	2332	~DFA22B.tmp	88
PID 2332 wrote to memory of 1088	2332	~DFA22B.tmp	88
PID 2332 wrote to memory of 1088	2332	~DFA22B.tmp	88

C:\Users\Admin\AppData\Local\Temp\f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
"C:\Users\Admin\AppData\Local\Temp\f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\uqkipot.exe
  C:\Users\Admin\AppData\Local\Temp\uqkipot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\rufugyg.exe
      "C:\Users\Admin\AppData\Local\Temp\rufugyg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
eae99c42a45dd55fa196474fe80e9b42

SHA1
1b9e0aec380cccb2be95c54039f3a2818dcf6e79

SHA256
5775203e9d11195bcc0300058c19aa002b70565ebc3709db2070beffb30f28f7

SHA512
9c101f06e911360a97d33658be82062743d7efc50d54c1718f4e97f1ba69453064d11ad96f57923ecf555547ba2ce22661aa5b9ab696cfb817f5597e92fab262

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e073f73a95897a2ced98d6c8f9ccc659

SHA1
8de06778070f797ba60beab63dc47638427b8d9a

SHA256
7780b587d96c8c3c9dded65ad1b50bddf2570c5754c75cecf3352bf556a0bed1

SHA512
4e14e1cd9f62db4e1711fe8ede2044d8eb412e69f96167a2692a10d5d8be6b362c602d31618384926ec888dd797d0abd27110a21034eaa2300bf370119166d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufugyg.exe

Filesize
385KB

MD5
80ea2c68ee8125575df5466e45c9ccc0

SHA1
b77b9846f068c0ffafb630d304c8640dc55ce56c

SHA256
81a82b61854b2ec704422163eca20068c9e8289fa0715523d35c1340489366bc

SHA512
ba226cc145cd9853e85a175c6e845d3565f5676914da5ffeefcb8162e973d9d51fc641ed916bea5e4fbd7893884c5b8154050f4b879836dc6b6f3d49c6c273f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufugyg.exe

Filesize
385KB

MD5
80ea2c68ee8125575df5466e45c9ccc0

SHA1
b77b9846f068c0ffafb630d304c8640dc55ce56c

SHA256
81a82b61854b2ec704422163eca20068c9e8289fa0715523d35c1340489366bc

SHA512
ba226cc145cd9853e85a175c6e845d3565f5676914da5ffeefcb8162e973d9d51fc641ed916bea5e4fbd7893884c5b8154050f4b879836dc6b6f3d49c6c273f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqkipot.exe

Filesize
702KB

MD5
e5b4c7f039231314d757871da526726e

SHA1
dbd0abb6d061b33c04d13493c67dfabff11f125a

SHA256
07558583f43851b1de8b71f6086002bda725481975107512c517a3d09c975ef3

SHA512
934e05ab25b3cd4b1551ed7bb0f91ab8671e8abd5dc2af97d8a623e5fdcf4d1412e22859d8e6b5253b107b78ed46edbd66175e866bd35117282013872f509c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqkipot.exe

Filesize
702KB

MD5
e5b4c7f039231314d757871da526726e

SHA1
dbd0abb6d061b33c04d13493c67dfabff11f125a

SHA256
07558583f43851b1de8b71f6086002bda725481975107512c517a3d09c975ef3

SHA512
934e05ab25b3cd4b1551ed7bb0f91ab8671e8abd5dc2af97d8a623e5fdcf4d1412e22859d8e6b5253b107b78ed46edbd66175e866bd35117282013872f509c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp

Filesize
707KB

MD5
0a8dab9c24e3bb87c056f80d4f299b21

SHA1
bd260d7dde4b10d86d1da6fb687d7f63382b9f5e

SHA256
024421be12551b54502c50dfe4b4e347e9e8b9507c5c0700944bf2d9b773a03c

SHA512
82c2505ce18cc07ce24c43195cdd2e2c5f65001cd2b53cb896a538f88f10f8e207653eafa1a413ce7a1a9a592cea2fd6ccde7685a08d0b7dcac96b3e52fdbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22B.tmp

Filesize
707KB

MD5
0a8dab9c24e3bb87c056f80d4f299b21

SHA1
bd260d7dde4b10d86d1da6fb687d7f63382b9f5e

SHA256
024421be12551b54502c50dfe4b4e347e9e8b9507c5c0700944bf2d9b773a03c

SHA512
82c2505ce18cc07ce24c43195cdd2e2c5f65001cd2b53cb896a538f88f10f8e207653eafa1a413ce7a1a9a592cea2fd6ccde7685a08d0b7dcac96b3e52fdbbb8

Download Submit
memory/1088-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2332-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2332-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3436-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3436-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4504-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4504-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download