3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe

Analysis

max time kernel
151s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe
Size

704KB
MD5

71d0e033473fb920aae08b11708fbf40
SHA1

77135a05e33a8c9935fc6ba1d796822a56db9641
SHA256

3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe
SHA512

f158bf34b807c5dc19922b11c75841b5ec73b03db62f8d6058cb6a9d799691f853ba6e4238f7a95b4e4abe1e6e04388394c94eb5456f311fb39013f99e640ef6
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3760	pezihur.exe
3576	~DFA233.tmp
8	owykvip.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA233.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe
8	owykvip.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	~DFA233.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3760	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	86
PID 4000 wrote to memory of 3760	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	86
PID 4000 wrote to memory of 3760	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	86
PID 3760 wrote to memory of 3576	3760	pezihur.exe	87
PID 3760 wrote to memory of 3576	3760	pezihur.exe	87
PID 3760 wrote to memory of 3576	3760	pezihur.exe	87
PID 4000 wrote to memory of 4816	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	88
PID 4000 wrote to memory of 4816	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	88
PID 4000 wrote to memory of 4816	4000	3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe	88
PID 3576 wrote to memory of 8	3576	~DFA233.tmp	105
PID 3576 wrote to memory of 8	3576	~DFA233.tmp	105
PID 3576 wrote to memory of 8	3576	~DFA233.tmp	105

C:\Users\Admin\AppData\Local\Temp\3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe
"C:\Users\Admin\AppData\Local\Temp\3fc09f50b4a5e6acdb03a1cea580ee63c31cd5cf9e10f695efc59e0217ac89fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\pezihur.exe
  C:\Users\Admin\AppData\Local\Temp\pezihur.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\owykvip.exe
      "C:\Users\Admin\AppData\Local\Temp\owykvip.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
fbf0e01d6546f98fd55585f981f0f739

SHA1
a8ec8c99eeb0ba561e2228b06fb4619f5dc95bb6

SHA256
afe86227af1dff1716830822ba32ec563b42ee31e25b8ee94e44d0585ad22d70

SHA512
8a56f9d2bdc93df696e6a7bf8bc182e487ee0b9130ef8c5ad8cc8e934532436cced3417f385b9a6d74bf46ae5a1d6784a9abea0774666997ff6aa1c9d743317f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
be6dacc27ffa9fe636dee65b8a673eb3

SHA1
ad36319cf94584f1c8eccc791d359a56370fed3d

SHA256
900b40e8f7ef6efc0bb0c6d0199317ffe6e929c0b08314c534629e49844f5aa1

SHA512
b4b9622649e51792eb782817812dc51dbb375b66e60ace026b4b661173bbc429908a087db288b0a1575e9d63d1a30cea462c8f5c783e819aac371674486e7133

Download Submit
C:\Users\Admin\AppData\Local\Temp\owykvip.exe

Filesize
401KB

MD5
ea55fc04bb6859af0af3f3a170ce71e0

SHA1
44ce3e0c9af559cb0d1ed5e1df522a654da7e69c

SHA256
bfa5b9e9c49b6b6fbe36a1233b5f6180ac62d8145ce74ec46a6a385dd6567bb5

SHA512
dedf46b293ce8bca069041e19ec2219a7146a7e842753bb757fc9c2b9598204558d1ea33c11101d5cd124a2af9d9ce7c185a683e6e0ac5227f7c5138df115360

Download Submit
C:\Users\Admin\AppData\Local\Temp\owykvip.exe

Filesize
401KB

MD5
ea55fc04bb6859af0af3f3a170ce71e0

SHA1
44ce3e0c9af559cb0d1ed5e1df522a654da7e69c

SHA256
bfa5b9e9c49b6b6fbe36a1233b5f6180ac62d8145ce74ec46a6a385dd6567bb5

SHA512
dedf46b293ce8bca069041e19ec2219a7146a7e842753bb757fc9c2b9598204558d1ea33c11101d5cd124a2af9d9ce7c185a683e6e0ac5227f7c5138df115360

Download Submit
C:\Users\Admin\AppData\Local\Temp\pezihur.exe

Filesize
706KB

MD5
5f86d714173fb29419dd5a55334130b5

SHA1
5928f76fa064641c84483b8d1037202a1d072e14

SHA256
c0c31137bc8ade10cef85d6a3657f823581721b6739d289eeb5ec6bffd33ae6a

SHA512
a0753d9636069ba7487cbead35a2b23d12fff201f5d34b01209c2f2bc20590648f38acef1e1f64a027e45b69c42301e2ec1a67e5c81161657f73ff0cbf82a16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pezihur.exe

Filesize
706KB

MD5
5f86d714173fb29419dd5a55334130b5

SHA1
5928f76fa064641c84483b8d1037202a1d072e14

SHA256
c0c31137bc8ade10cef85d6a3657f823581721b6739d289eeb5ec6bffd33ae6a

SHA512
a0753d9636069ba7487cbead35a2b23d12fff201f5d34b01209c2f2bc20590648f38acef1e1f64a027e45b69c42301e2ec1a67e5c81161657f73ff0cbf82a16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp

Filesize
709KB

MD5
ed8b1d2beba1bd7061b8f33c75731ae7

SHA1
6a993ab7ac0ac5652c1f95db3e933b791beb3a6f

SHA256
ac4553e20fbde3b58b4067705375303b0af904da008cde70b0d0efbcdbc017a3

SHA512
c915951ff2fd9617a0e7755d88b30c964d77407d3f900bcae59457151818719986fe1dcae9f75caee5bbdece60c270cbb5b6f20964c9f22049546b3ab2396267

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp

Filesize
709KB

MD5
ed8b1d2beba1bd7061b8f33c75731ae7

SHA1
6a993ab7ac0ac5652c1f95db3e933b791beb3a6f

SHA256
ac4553e20fbde3b58b4067705375303b0af904da008cde70b0d0efbcdbc017a3

SHA512
c915951ff2fd9617a0e7755d88b30c964d77407d3f900bcae59457151818719986fe1dcae9f75caee5bbdece60c270cbb5b6f20964c9f22049546b3ab2396267

Download Submit
memory/8-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/8-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3576-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3760-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3760-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4000-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4000-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download