c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe
Size

659KB
MD5

5012e740688d9dbcdd8d9ae261913a50
SHA1

94957fe078ba29e3a75c089fa86176c0e931a80b
SHA256

c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a
SHA512

653af2c7f324a51a3aab0f9369ca0ebbba21be7cccffe6dfadaa8e96fc34dfb2b36f9b8bccbab763ab561f0500eb20e666a85d6c4a127fb7a7bc4e053b617ef4
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3968	gumelek.exe
4580	~DFA239.tmp
5048	cujiafz.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA239.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe
5048	cujiafz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	~DFA239.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3968	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	84
PID 2640 wrote to memory of 3968	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	84
PID 2640 wrote to memory of 3968	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	84
PID 3968 wrote to memory of 4580	3968	gumelek.exe	85
PID 3968 wrote to memory of 4580	3968	gumelek.exe	85
PID 3968 wrote to memory of 4580	3968	gumelek.exe	85
PID 2640 wrote to memory of 3312	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	86
PID 2640 wrote to memory of 3312	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	86
PID 2640 wrote to memory of 3312	2640	c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe	86
PID 4580 wrote to memory of 5048	4580	~DFA239.tmp	99
PID 4580 wrote to memory of 5048	4580	~DFA239.tmp	99
PID 4580 wrote to memory of 5048	4580	~DFA239.tmp	99

C:\Users\Admin\AppData\Local\Temp\c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe
"C:\Users\Admin\AppData\Local\Temp\c261d8c5c32580509e9c8c8acf76accd05803c21921a0caadb47e8ec14f7af7a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\gumelek.exe
  C:\Users\Admin\AppData\Local\Temp\gumelek.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\cujiafz.exe
      "C:\Users\Admin\AppData\Local\Temp\cujiafz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e004b9d486d471bd5255c23f8b4340df

SHA1
04b733924d7663733e821abaae0001b56e904dbc

SHA256
276a75df6a32d4ddb91a56ad8d588f185ecc69d0db687d84906be17ff98f73bc

SHA512
21a6779e2c94287f8166e50179e4a75af58d0985c7f3c15a42238c276094b9f5867c1bd9c0bd08c26906e85003a87cb57feef249900f080e615bb9d8defbdc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cujiafz.exe

Filesize
408KB

MD5
93d7850dab2134d57c4813edf926bd2c

SHA1
774f2d41bf1db790e0d17f0792e5a9472b771c05

SHA256
9dd002b3bb311858d53b5e69b16455b11568f0119a794345e87f18d2210a6814

SHA512
98b9b46ba8985d82e25597e0f59644c7603d5654f1afe391223a0a3bd8d47d5cbe69eeb8545edd5a7cd0d1ffae4a1e19696b19ad506813927fe3abfe6aadcf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cujiafz.exe

Filesize
408KB

MD5
93d7850dab2134d57c4813edf926bd2c

SHA1
774f2d41bf1db790e0d17f0792e5a9472b771c05

SHA256
9dd002b3bb311858d53b5e69b16455b11568f0119a794345e87f18d2210a6814

SHA512
98b9b46ba8985d82e25597e0f59644c7603d5654f1afe391223a0a3bd8d47d5cbe69eeb8545edd5a7cd0d1ffae4a1e19696b19ad506813927fe3abfe6aadcf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
53b57cc51e4f1be5fcfb884dfe07ace9

SHA1
e479b5610020211c76022eb8bfb4d4c96abb8d31

SHA256
bbeb412b67cd5960ccaff535eee06290671aa0f4296a1d45042935d7089e5632

SHA512
d59434e7ca2eb3fc8150a3525ba92900683e6c8cfe785916f940fb4930dc32be90864a930913cff29af0f5af5eba4b075bc5b99e6bc3f92996dd058236b32f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\gumelek.exe

Filesize
668KB

MD5
512defb15d5dfa276e0f80642cf57286

SHA1
744e3be0af01f4a0c37db9db68ab578d5d062654

SHA256
73652272156160611bf4a8dc99dced0c40d605b34cca94f30ce3cdc014ca759b

SHA512
3d1b2f623f75207d022a1c30ece4b468077cda94e51f4d0098b46d10433b59b1c1d4553c0404d924572ce1aa45033d7bdc85254e146267e578477480561be600

Download Submit
C:\Users\Admin\AppData\Local\Temp\gumelek.exe

Filesize
668KB

MD5
512defb15d5dfa276e0f80642cf57286

SHA1
744e3be0af01f4a0c37db9db68ab578d5d062654

SHA256
73652272156160611bf4a8dc99dced0c40d605b34cca94f30ce3cdc014ca759b

SHA512
3d1b2f623f75207d022a1c30ece4b468077cda94e51f4d0098b46d10433b59b1c1d4553c0404d924572ce1aa45033d7bdc85254e146267e578477480561be600

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp

Filesize
677KB

MD5
99dc15b8cbf0e8131e565635072c4830

SHA1
e3685e3b73ca45984fd79c85b10f0d31f37a45ac

SHA256
d9e5da10e8dbf9064d4c49fbc110dd092718a179fd4194ae633385b5418ea835

SHA512
3a43d584e03ebf373709f89af9934c004497beee2e06cf246aafdc85bc2b46c8ceed51bb004b4a60fe0ff128fe30684c85f6e6c577e7b086f68832995b387114

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp

Filesize
677KB

MD5
99dc15b8cbf0e8131e565635072c4830

SHA1
e3685e3b73ca45984fd79c85b10f0d31f37a45ac

SHA256
d9e5da10e8dbf9064d4c49fbc110dd092718a179fd4194ae633385b5418ea835

SHA512
3a43d584e03ebf373709f89af9934c004497beee2e06cf246aafdc85bc2b46c8ceed51bb004b4a60fe0ff128fe30684c85f6e6c577e7b086f68832995b387114

Download Submit
memory/2640-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2640-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3968-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4580-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5048-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5048-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download