687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe
Size

654KB
MD5

7cf9b62deb24269b29a762e2edacc1c0
SHA1

3ae2c8b831c5efdaab35103e9d372381c7fa809b
SHA256

687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4
SHA512

8cff1cfae926f6b649d1c4bccd03112eb938972c829286d58e550c6f96ae82ebb8966e2a4e42f9fc818674629f9962deb3c016c66e2bd887997a6ecff3248bdb
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4476	zeegwid.exe
4988	~DFA237.tmp
3932	kaputiu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA237.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe
3932	kaputiu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	~DFA237.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4476	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	82
PID 3088 wrote to memory of 4476	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	82
PID 3088 wrote to memory of 4476	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	82
PID 4476 wrote to memory of 4988	4476	zeegwid.exe	83
PID 4476 wrote to memory of 4988	4476	zeegwid.exe	83
PID 4476 wrote to memory of 4988	4476	zeegwid.exe	83
PID 3088 wrote to memory of 4924	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	84
PID 3088 wrote to memory of 4924	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	84
PID 3088 wrote to memory of 4924	3088	687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe	84
PID 4988 wrote to memory of 3932	4988	~DFA237.tmp	92
PID 4988 wrote to memory of 3932	4988	~DFA237.tmp	92
PID 4988 wrote to memory of 3932	4988	~DFA237.tmp	92

C:\Users\Admin\AppData\Local\Temp\687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe
"C:\Users\Admin\AppData\Local\Temp\687c87c6e8a1bfb8dc6c638da6aaab2bda380db27d1eb310e98bcfb05d857aa4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\zeegwid.exe
  C:\Users\Admin\AppData\Local\Temp\zeegwid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\kaputiu.exe
      "C:\Users\Admin\AppData\Local\Temp\kaputiu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
d2260de68394f295dde15a16915d2dba

SHA1
7c7d28f0b02f3d93c819ca254a8a254e0c7ca6e2

SHA256
f122223057bf175f6792a5dfc3a180fe706adb57f10453ca06d8f124bf32e0c8

SHA512
fcc4a320a3556e9590ec278299cfc831da2007786a109f9e699ffea97a3163c7c46605a14a9e798c0f8a34ae69242ed06b039386c3b61376861f1f7ad2527630

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
4025668c4c55315ad52e141a1d2c0abe

SHA1
e2bf37a79352384fa1fe13a7b3ee206fab4977a5

SHA256
1f3fdde6479b9ef516df64747ee6bacbd8078aabddf1ca4cff52399aac27fb2a

SHA512
f69452d84260417bca761126306a6710f139ddc43150b5ffc5473326799122d406184e7760c77c40d56f5b1803989c56937fc649e8acb1da4a2727190c234839

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaputiu.exe

Filesize
382KB

MD5
65a73316b48303f206f7c91902b4da7e

SHA1
6003292fcf8a773390b2b2fad3c3578dbd2ad774

SHA256
c875481b5e31d1a9cdd34159a11c865f31079665d05925a86a743ec0cec23738

SHA512
a933403f20a3548bf1c9f3a5e6c4b559c1c82ad526ee8e8aadc860aba34ad7c50d16905730ff789e9af5c18cc458771b562db571532daf1e4f994cb136b47a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaputiu.exe

Filesize
382KB

MD5
65a73316b48303f206f7c91902b4da7e

SHA1
6003292fcf8a773390b2b2fad3c3578dbd2ad774

SHA256
c875481b5e31d1a9cdd34159a11c865f31079665d05925a86a743ec0cec23738

SHA512
a933403f20a3548bf1c9f3a5e6c4b559c1c82ad526ee8e8aadc860aba34ad7c50d16905730ff789e9af5c18cc458771b562db571532daf1e4f994cb136b47a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeegwid.exe

Filesize
661KB

MD5
1fba405799908907ceb1b207f303c17e

SHA1
a7a2b11d869826df0bc9ee686c1497834f4b195b

SHA256
e7ab9e0c72dbc3a01615e143712a316bdc9c00dd095760fdc6b8ea2af8243154

SHA512
28aeb8a6795eedf268dfe827d0a3d02f4e035f58f60a790636282069753f63bb7de1de3bf6b5cc04c9b809ec67a81db68dbc647ff7791825079bd75fa3ce4c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeegwid.exe

Filesize
661KB

MD5
1fba405799908907ceb1b207f303c17e

SHA1
a7a2b11d869826df0bc9ee686c1497834f4b195b

SHA256
e7ab9e0c72dbc3a01615e143712a316bdc9c00dd095760fdc6b8ea2af8243154

SHA512
28aeb8a6795eedf268dfe827d0a3d02f4e035f58f60a790636282069753f63bb7de1de3bf6b5cc04c9b809ec67a81db68dbc647ff7791825079bd75fa3ce4c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp

Filesize
668KB

MD5
da425e16a96c4976556dbc7fb14a37f4

SHA1
18f2ab62a0bb1f5199b7fb39d7514ed7492ee2f0

SHA256
8e2bcc10b3e6171a2c40ce9f43acc7b6dcb5e9857b3dfdc3260ddc005a1bf84e

SHA512
f959817f5d5b5322d884c66d1c4f12215449f3a6e3bf643a2466ae059715596c5074876435b240bdcdbb8191feb84ead7dc99bac81ec64a26baf6baed3b44ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp

Filesize
668KB

MD5
da425e16a96c4976556dbc7fb14a37f4

SHA1
18f2ab62a0bb1f5199b7fb39d7514ed7492ee2f0

SHA256
8e2bcc10b3e6171a2c40ce9f43acc7b6dcb5e9857b3dfdc3260ddc005a1bf84e

SHA512
f959817f5d5b5322d884c66d1c4f12215449f3a6e3bf643a2466ae059715596c5074876435b240bdcdbb8191feb84ead7dc99bac81ec64a26baf6baed3b44ccd

Download Submit
memory/3088-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3088-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3932-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3932-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3932-147-0x0000000000000000-mapping.dmp

Download
memory/4476-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4476-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4476-133-0x0000000000000000-mapping.dmp

Download
memory/4924-142-0x0000000000000000-mapping.dmp

Download
memory/4988-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4988-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4988-137-0x0000000000000000-mapping.dmp

Download