22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe
Size

657KB
MD5

67a8dbb937ee81d5c17ed503ee225db0
SHA1

055a8adc8a8c54b839fa45e69a339eb928eb369f
SHA256

22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a
SHA512

707f7402c23b91b7b18ece1b39f0ec488a9ed2147c0eb68ffe5e818b44e2d46113612450be8121be0251311234a42a9e5e32e15543fe619214a0412807971ddf
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3004	poiwnps.exe
5020	~DFA22C.tmp
4000	tunoyps.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA22C.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe
4000	tunoyps.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	~DFA22C.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3004	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	84
PID 4768 wrote to memory of 3004	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	84
PID 4768 wrote to memory of 3004	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	84
PID 3004 wrote to memory of 5020	3004	poiwnps.exe	85
PID 3004 wrote to memory of 5020	3004	poiwnps.exe	85
PID 3004 wrote to memory of 5020	3004	poiwnps.exe	85
PID 4768 wrote to memory of 4924	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	86
PID 4768 wrote to memory of 4924	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	86
PID 4768 wrote to memory of 4924	4768	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	86
PID 5020 wrote to memory of 4000	5020	~DFA22C.tmp	99
PID 5020 wrote to memory of 4000	5020	~DFA22C.tmp	99
PID 5020 wrote to memory of 4000	5020	~DFA22C.tmp	99

C:\Users\Admin\AppData\Local\Temp\22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe
"C:\Users\Admin\AppData\Local\Temp\22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\poiwnps.exe
  C:\Users\Admin\AppData\Local\Temp\poiwnps.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\tunoyps.exe
      "C:\Users\Admin\AppData\Local\Temp\tunoyps.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
efba6cd1d1ea175cbbc55f35e1507f34

SHA1
0f4223fba842d061278af81ba1d91c871eba85e0

SHA256
a35904e9b3749e678d3657baff56df2174ad3c71e295e789e985ca553bb7ab3c

SHA512
084a35d2ffb04b705feb4641aa4e8802928c5bfa85ec1b96379a33351bd96c65f9616ab931d975327586acd2e3a47c6696647a1daf86d46866c1946029acbb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
d37ddf38b3327faf6ac521dd848a5990

SHA1
63c38a7162f76e876bbab10db14051612ea9bbd5

SHA256
2f21a51aa7945298a8c205d840c50b7fd154c7e37c231c076148ae8ff53cecb8

SHA512
2f352ac5e6f6dc4d21d3e8e0587d4d8d914b72e716b67855bc4deafd0be045e85ad657bb953ca5e092258477d7591a3cba24df7ad3ad7ad266a2318eed17e3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\poiwnps.exe

Filesize
663KB

MD5
b5bca30a220bfc8d3e8f0b2f292a0196

SHA1
62f41abb04cac21eebccf4cf30efd6b0e93ed9a3

SHA256
afdb21c2b8eb657b807e938cca7be58f26e6bf199e3dd1b0eec689a8a655debe

SHA512
676a229f497f1e08639229233e790746b30a149fc64267104d0b795fcc35c0089d5e92f831d2697986b7a89cc80d73ec9b7cc0e71188c9b52b6e93e736714f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\poiwnps.exe

Filesize
663KB

MD5
b5bca30a220bfc8d3e8f0b2f292a0196

SHA1
62f41abb04cac21eebccf4cf30efd6b0e93ed9a3

SHA256
afdb21c2b8eb657b807e938cca7be58f26e6bf199e3dd1b0eec689a8a655debe

SHA512
676a229f497f1e08639229233e790746b30a149fc64267104d0b795fcc35c0089d5e92f831d2697986b7a89cc80d73ec9b7cc0e71188c9b52b6e93e736714f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tunoyps.exe

Filesize
372KB

MD5
18f90e72b9c507b280038098ced17276

SHA1
39c297f5aecaefc57d31683d19fb8b2552ec9bf0

SHA256
62c4ef6c9ae5bdbcabeaf6a4414c2370098f7b001b1c61ddb14044b5a52d0b56

SHA512
1ddf6c534e54523f819f06697dc6aa55cbeab5322eb6b42f1bb4dadce6f11fbbe292cedcdeb0a889c766c86eb234951fd5789aeedb4ce9249ed5da0cdb2922ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tunoyps.exe

Filesize
372KB

MD5
18f90e72b9c507b280038098ced17276

SHA1
39c297f5aecaefc57d31683d19fb8b2552ec9bf0

SHA256
62c4ef6c9ae5bdbcabeaf6a4414c2370098f7b001b1c61ddb14044b5a52d0b56

SHA512
1ddf6c534e54523f819f06697dc6aa55cbeab5322eb6b42f1bb4dadce6f11fbbe292cedcdeb0a889c766c86eb234951fd5789aeedb4ce9249ed5da0cdb2922ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp

Filesize
670KB

MD5
18f9e4da7814b05451e05326f3f1b9d6

SHA1
c2fb43bdb7f652cf2df56596a045966d757faf54

SHA256
dfffe15a609c0d405ff76d30bfdda5e07c9ff3c2fd19c23d8e0342454f10c6d1

SHA512
8beb2d57e3de654744a338210be33f0f239217e52dfa7147a28f6d7e6f08e551716de574b8e3c47ed797f497ea46078086413a155a4f68ad0ca32a0e33a56c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp

Filesize
670KB

MD5
18f9e4da7814b05451e05326f3f1b9d6

SHA1
c2fb43bdb7f652cf2df56596a045966d757faf54

SHA256
dfffe15a609c0d405ff76d30bfdda5e07c9ff3c2fd19c23d8e0342454f10c6d1

SHA512
8beb2d57e3de654744a338210be33f0f239217e52dfa7147a28f6d7e6f08e551716de574b8e3c47ed797f497ea46078086413a155a4f68ad0ca32a0e33a56c71

Download Submit
memory/3004-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3004-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4000-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4768-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4768-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5020-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download