d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8

Analysis

max time kernel
153s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
Size

648KB
MD5

68b4673152111ecc0526533c9f19ad90
SHA1

358a23e378e6656b85dff24f438cfb06d0b16b3d
SHA256

d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8
SHA512

b5370d06498ff62e2853db37b0596d07eb29407c11d9d2e3d78b3771ee15644a5cfe758f5c144556d64c6101d9bfcaa5053c4288a7d4dd036e05fc9969ad6135
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2616	powyudd.exe
3564	~DFA246.tmp
2860	uhnuydd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA246.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe
2860	uhnuydd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	~DFA246.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2616	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	83
PID 4816 wrote to memory of 2616	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	83
PID 4816 wrote to memory of 2616	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	83
PID 2616 wrote to memory of 3564	2616	powyudd.exe	84
PID 2616 wrote to memory of 3564	2616	powyudd.exe	84
PID 2616 wrote to memory of 3564	2616	powyudd.exe	84
PID 4816 wrote to memory of 640	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	85
PID 4816 wrote to memory of 640	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	85
PID 4816 wrote to memory of 640	4816	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	85
PID 3564 wrote to memory of 2860	3564	~DFA246.tmp	89
PID 3564 wrote to memory of 2860	3564	~DFA246.tmp	89
PID 3564 wrote to memory of 2860	3564	~DFA246.tmp	89

C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
"C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\powyudd.exe
  C:\Users\Admin\AppData\Local\Temp\powyudd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe
      "C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
5a6535f8b76af9ded5802819517d4066

SHA1
0b94d1b1a256b9d7441e8556049a6e08f0620985

SHA256
a59bcfa795a37f6bbce5209217cf2244d7a30109fa9ba8659c0f4d350b489830

SHA512
5809ca37d4bb1a20f3ce184221620ff5565555bc6b0a3f11567e22dc3a015afee4632f92b8d4a4f5725289b0eb72cf3ffa299b050dc569c6b22583fc905af9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
296a3b4008d9c2d5a00d3379f660c012

SHA1
92691d538a3943cf5de54077dce2813c155fcc37

SHA256
7e02ae0f85f204918c2fe5ba27f201a42ea9fe473f67d309fbc328e9091b464d

SHA512
6e6fa5e527366a313b4c8baaf494ee99d24f8ee330c9c99bee1fa42b97b0ffea4cad6e959ffd18ff4fe0f583a1fd5e86473c0253af94cd7cd6f874978ea79169

Download Submit
C:\Users\Admin\AppData\Local\Temp\powyudd.exe

Filesize
657KB

MD5
efc0bcca3456a8b81183e2bc27349e80

SHA1
7ef7540c91cb4815ae1b7aa6ca6c7d275c84ca22

SHA256
51b3df079ddf1869fd395ec772e46a68c29b0cda23f736f7dce657fce9be4443

SHA512
57282dc4f2a45e208ab21b59f8432844312a6cd35aa0f7064247ffcb93e1c93101b21b1e727a68cda0c6cdbace9d5a5ba724ecb41e63f1939aeb160b24daaa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\powyudd.exe

Filesize
657KB

MD5
efc0bcca3456a8b81183e2bc27349e80

SHA1
7ef7540c91cb4815ae1b7aa6ca6c7d275c84ca22

SHA256
51b3df079ddf1869fd395ec772e46a68c29b0cda23f736f7dce657fce9be4443

SHA512
57282dc4f2a45e208ab21b59f8432844312a6cd35aa0f7064247ffcb93e1c93101b21b1e727a68cda0c6cdbace9d5a5ba724ecb41e63f1939aeb160b24daaa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe

Filesize
375KB

MD5
f25df733b659d80894bdb72eb0b8e3db

SHA1
29fef882e7a42b20622b9eb8cc557c9e8bb817e4

SHA256
9bd0603e24defe0c42920de436a416f52e37e2872906b4d403644ec62931e3d8

SHA512
06d0aa362fe0461fe4ef4e6ca8c3452eb617750e4b88d8e58e342e5565d703d960830f7e0588a50bb658ff663f0c7c508b5766d1fbb1dab93f114210f5b02883

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe

Filesize
375KB

MD5
f25df733b659d80894bdb72eb0b8e3db

SHA1
29fef882e7a42b20622b9eb8cc557c9e8bb817e4

SHA256
9bd0603e24defe0c42920de436a416f52e37e2872906b4d403644ec62931e3d8

SHA512
06d0aa362fe0461fe4ef4e6ca8c3452eb617750e4b88d8e58e342e5565d703d960830f7e0588a50bb658ff663f0c7c508b5766d1fbb1dab93f114210f5b02883

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp

Filesize
660KB

MD5
cc0f2e85ee4af6d7476d8346424c05ef

SHA1
8eb142fe1db1ce388b210efe14b5fa4faffa6eec

SHA256
c87da4c608fb964a09c5da00d116728d8e79327192e77c030e4548d061181e1c

SHA512
c4731040698f8f789dd0bf1cc28f3f22f0ec7eb02e40d053b0fc6da5654de2b6f43ff9cf76ff03285b4fe391cc94ad008c6e7418e9b0e6933a10c1aaca864b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA246.tmp

Filesize
660KB

MD5
cc0f2e85ee4af6d7476d8346424c05ef

SHA1
8eb142fe1db1ce388b210efe14b5fa4faffa6eec

SHA256
c87da4c608fb964a09c5da00d116728d8e79327192e77c030e4548d061181e1c

SHA512
c4731040698f8f789dd0bf1cc28f3f22f0ec7eb02e40d053b0fc6da5654de2b6f43ff9cf76ff03285b4fe391cc94ad008c6e7418e9b0e6933a10c1aaca864b24

Download Submit
memory/2616-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2616-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2860-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2860-153-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3564-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3564-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4816-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4816-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4816-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download