d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe
Size

647KB
MD5

7252777128af91a3d2bda6c014bf9c90
SHA1

6d083e41d749a41a132ea7aba2136ab8e30a76fc
SHA256

d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180
SHA512

a84218e90e305cb4f0f04cbfbe2ad359cf8e34ace0d3cd6039ba5e3adaf872b05fbc34dd6f73bf4eb6536e8746c1653f113bb57fc39ddcfd085fcaf7670f5bc3
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4436	zuqoih.exe
2184	~DFA23A.tmp
2136	vihely.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA23A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe
2136	vihely.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	~DFA23A.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4436	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	81
PID 1240 wrote to memory of 4436	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	81
PID 1240 wrote to memory of 4436	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	81
PID 4436 wrote to memory of 2184	4436	zuqoih.exe	82
PID 4436 wrote to memory of 2184	4436	zuqoih.exe	82
PID 4436 wrote to memory of 2184	4436	zuqoih.exe	82
PID 1240 wrote to memory of 4892	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	85
PID 1240 wrote to memory of 4892	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	85
PID 1240 wrote to memory of 4892	1240	d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe	85
PID 2184 wrote to memory of 2136	2184	~DFA23A.tmp	87
PID 2184 wrote to memory of 2136	2184	~DFA23A.tmp	87
PID 2184 wrote to memory of 2136	2184	~DFA23A.tmp	87

C:\Users\Admin\AppData\Local\Temp\d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe
"C:\Users\Admin\AppData\Local\Temp\d627b2d83c84381afdf8cda7ea17bec6b7c0f639aeae8163fadd0bdea6eb4180.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\zuqoih.exe
  C:\Users\Admin\AppData\Local\Temp\zuqoih.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\~DFA23A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23A.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\vihely.exe
      "C:\Users\Admin\AppData\Local\Temp\vihely.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
fdd8825d99f3931643966aff943f66e7

SHA1
50d187d8b22a9ef5194ce3fcda90da832ae1d5ad

SHA256
94e7542ea0e514ace2563b9529ae9c89a9cc09a9bf76829339901773d69d707d

SHA512
502fea74dbe7ee293b58b2d0561e7c074f31215ecc8b3d5ef287716e4945aa844cc16d755228eff70d6d126a081291dc49a01787927104d0aeada301b31e9174

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
745f150eb653b9cce8ab1fa3d9367b48

SHA1
6544a3bf188ae2a474d92d69f4fe0c1b33352af1

SHA256
580d2beeed21238e6682b350ca523fae26019c491dd4afbf9bcb5159977ea585

SHA512
3a748547e6bfa8cbd234997ba1e001a34aed738615eaf08b9936e3189290d25c02dea12f3bd66e1bfc52ee0cdea3c6fb781c273d42e0790f0fc7c98bd4a8c190

Download Submit
C:\Users\Admin\AppData\Local\Temp\vihely.exe

Filesize
400KB

MD5
a1d7f072dd8409a925889097c5e04d85

SHA1
42ff1d1feb44ad1efa8d0280342f13cd587f1ba7

SHA256
52f4201440ef0a71caeefb8e564a0f308dfc0b134589cfbf027adb5fb1d5d9af

SHA512
4b5fd4801bd2db1a08118cf9d46f00cc375bfb41ccdcc43ab6bbd02a0f216bd26538e0f8c042e7167ad95d1a59c7f85ba445ffe50b93968e94f819455284b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\vihely.exe

Filesize
400KB

MD5
a1d7f072dd8409a925889097c5e04d85

SHA1
42ff1d1feb44ad1efa8d0280342f13cd587f1ba7

SHA256
52f4201440ef0a71caeefb8e564a0f308dfc0b134589cfbf027adb5fb1d5d9af

SHA512
4b5fd4801bd2db1a08118cf9d46f00cc375bfb41ccdcc43ab6bbd02a0f216bd26538e0f8c042e7167ad95d1a59c7f85ba445ffe50b93968e94f819455284b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuqoih.exe

Filesize
656KB

MD5
c10abe29241d1f87463723441e7b353a

SHA1
25e7b42a1a81705a17b14ea3bb6c9fb7aab3f6a9

SHA256
9fb15f90cc09b5b300c971e95893e43b3088a011af62d79caa1f93b11f0f9763

SHA512
be5071256045c716917faf8228200ef6cc240fdc3f8a8a50f630d2e8a6d7f85541bcc27f52da05d2be1e11db8bf81c9b3f7586da58f3fff2e8d100a719632252

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuqoih.exe

Filesize
656KB

MD5
c10abe29241d1f87463723441e7b353a

SHA1
25e7b42a1a81705a17b14ea3bb6c9fb7aab3f6a9

SHA256
9fb15f90cc09b5b300c971e95893e43b3088a011af62d79caa1f93b11f0f9763

SHA512
be5071256045c716917faf8228200ef6cc240fdc3f8a8a50f630d2e8a6d7f85541bcc27f52da05d2be1e11db8bf81c9b3f7586da58f3fff2e8d100a719632252

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23A.tmp

Filesize
657KB

MD5
5a014e0b228511aafed6daf9d5ce031f

SHA1
9c5762d5aa67bdc5f1a673039dca10797c963c86

SHA256
8d8bed6806f95f8ad7f97e5fdac25b4075590a2ea9117aeedd0735957bbf2dde

SHA512
10ba750ce47e8ece263bc08e39dee42f5ce7b7cf2d49596367c4f5083c819ee9af669b7f448afcc83d225e425fea729673e46255c3a0c2ba782b1e2cba6dadb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23A.tmp

Filesize
657KB

MD5
5a014e0b228511aafed6daf9d5ce031f

SHA1
9c5762d5aa67bdc5f1a673039dca10797c963c86

SHA256
8d8bed6806f95f8ad7f97e5fdac25b4075590a2ea9117aeedd0735957bbf2dde

SHA512
10ba750ce47e8ece263bc08e39dee42f5ce7b7cf2d49596367c4f5083c819ee9af669b7f448afcc83d225e425fea729673e46255c3a0c2ba782b1e2cba6dadb6

Download Submit
memory/1240-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1240-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2136-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2184-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2184-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4436-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4436-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download