218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 11:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
Size

39KB
MD5

6a33e38247f64da66a6c106fc7b54d20
SHA1

9239278a99b6ba06fd28a8c82e087558fc1de3c8
SHA256

218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4
SHA512

afa460e2e56dd8912cad55ff9b8db2be093e9db3911fd7114f5a0f93956a5940e8ec8261fc41a7fc1e7a41377c54add272bb330c94260830c20fd09db99b556c
SSDEEP

768:heKEbmI5T5XhbNIB/S2YFpCwt6dYaxcQ7EgvjgBNyGp/Kd/GnRhRl7AiKEM:w5mWT5XbSOCERFKEM

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe

Loads dropped DLL 1 IoCs

pid	Process
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DuOcHn.log	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
684	sc.exe
2296	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
1968	taskkill.exe
2728	taskkill.exe
4740	taskkill.exe
4456	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 684	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	85
PID 4860 wrote to memory of 684	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	85
PID 4860 wrote to memory of 684	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	85
PID 4860 wrote to memory of 1968	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	86
PID 4860 wrote to memory of 1968	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	86
PID 4860 wrote to memory of 1968	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	86
PID 4860 wrote to memory of 2728	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	88
PID 4860 wrote to memory of 2728	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	88
PID 4860 wrote to memory of 2728	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	88
PID 4860 wrote to memory of 2296	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	90
PID 4860 wrote to memory of 2296	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	90
PID 4860 wrote to memory of 2296	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	90
PID 4860 wrote to memory of 4740	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	92
PID 4860 wrote to memory of 4740	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	92
PID 4860 wrote to memory of 4740	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	92
PID 4860 wrote to memory of 4456	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	94
PID 4860 wrote to memory of 4456	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	94
PID 4860 wrote to memory of 4456	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	94
PID 4860 wrote to memory of 1448	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	101
PID 4860 wrote to memory of 1448	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	101
PID 4860 wrote to memory of 1448	4860	218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe	101

C:\Users\Admin\AppData\Local\Temp\218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe
"C:\Users\Admin\AppData\Local\Temp\218fd88a08eb59ba0311b185aeabb84556f4d83ee5fde11a1c1ce6c7291692f4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete nod32krn
  2⤵
  - Launches sc.exe
  PID:684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete ekrn
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DuOcHn.log

Filesize
9.0MB

MD5
c2e6317f5410e0a1083a84595eb7353c

SHA1
5005107779ba9c53c05b3a53c0b682644cedff4c

SHA256
32b540cd5d39bcaee11bc61e0c348f9cd212964b494b8804887b06dfd7f985f8

SHA512
df35a961ee47828443f4d154223fee0c3a3595676448fa12f76c6d1ac618d8243c7ba54e292ee2212854096e005096e745778a58fd5edcdabecb5ad78607ec0f

Download Submit
memory/4860-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4860-140-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/4860-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download