5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d

Analysis

max time kernel
155s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
Size

644KB
MD5

7c064fbdcccd9098b460c10e40bbc850
SHA1

47796191a94fe4479f7282a37a3a89d4bcaeb8fc
SHA256

5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d
SHA512

1cba343e56113e8c6ba6af64b2540b3ca935d5c91a374f01e4ba8192f7cd8d5e847b46eb48d5a47f2d4c4c1a300c0c215b84d41d507c5f41cfbda0925e6bf135
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2040	huhebul.exe
1220	~DFA231.tmp
5116	eroztul.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA231.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe
5116	eroztul.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	~DFA231.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2040	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	84
PID 5044 wrote to memory of 2040	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	84
PID 5044 wrote to memory of 2040	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	84
PID 2040 wrote to memory of 1220	2040	huhebul.exe	85
PID 2040 wrote to memory of 1220	2040	huhebul.exe	85
PID 2040 wrote to memory of 1220	2040	huhebul.exe	85
PID 5044 wrote to memory of 4540	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	86
PID 5044 wrote to memory of 4540	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	86
PID 5044 wrote to memory of 4540	5044	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	86
PID 1220 wrote to memory of 5116	1220	~DFA231.tmp	89
PID 1220 wrote to memory of 5116	1220	~DFA231.tmp	89
PID 1220 wrote to memory of 5116	1220	~DFA231.tmp	89

C:\Users\Admin\AppData\Local\Temp\5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
"C:\Users\Admin\AppData\Local\Temp\5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\huhebul.exe
  C:\Users\Admin\AppData\Local\Temp\huhebul.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\eroztul.exe
      "C:\Users\Admin\AppData\Local\Temp\eroztul.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
edd547a2ed5f513c58af52a628e37da6

SHA1
ef2055da6bd59cb7a9dc3e089a28bc560978faa5

SHA256
9f96914c53240fa481cd7ee23461c593b2ec99404956c49f856719b7cd049634

SHA512
db8c859db0228ea24b5f3124497599e8656a79834dcaf5177f270e301e6a47060e65560191a5f931f7df5f6a60d9741478ece190cdc47486118af1eb1746c283

Download Submit
C:\Users\Admin\AppData\Local\Temp\eroztul.exe

Filesize
378KB

MD5
fce1a8980c9b75266d0512824b86efcb

SHA1
d5fa82618d5c2a410701a5ff4eea25b4d49ce863

SHA256
fff2d9f5ec6dc2f42b5f07077d01f83a3cb36b9cd516d993925d733ea94b957a

SHA512
1c392a68c6d502696304e98a2219a6d932a5b19dd20f6a1abf342a150512170e146e9ad0ae2b2b551f5cc579fda7266cf50acf31716f2375d3403a6ec2ee26aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\eroztul.exe

Filesize
378KB

MD5
fce1a8980c9b75266d0512824b86efcb

SHA1
d5fa82618d5c2a410701a5ff4eea25b4d49ce863

SHA256
fff2d9f5ec6dc2f42b5f07077d01f83a3cb36b9cd516d993925d733ea94b957a

SHA512
1c392a68c6d502696304e98a2219a6d932a5b19dd20f6a1abf342a150512170e146e9ad0ae2b2b551f5cc579fda7266cf50acf31716f2375d3403a6ec2ee26aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
ad7ae9c9dba41f200166342b8ccf181a

SHA1
320531e76a271400f9a49459b8c1fbd4ead00c65

SHA256
7c3c43970e7c1aed60fdb699f025748da36686ca2707917b84f1238e24a44f38

SHA512
e1e4aa36a91ef4df2fadb4f88907548c557ab8a7379263f9f6a540d35a41102f72fb2f1996a2bdf653cb78d22326cf038155414f14e5c4ff76d954bcf3b7413c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huhebul.exe

Filesize
645KB

MD5
ae08cb008a8ae453255d4d618cfbdf42

SHA1
f0a2c8701ac6dd0be57d53b185f7e4aa20ee7d3e

SHA256
6c2fc040a446040d3b6f685d6653195c773b26191632ae099add160043f6762a

SHA512
bbe477fee415604c889e81b5eb04b139c274cf90a63ff1762f7108d54a6a827a11f77b36b77aff989608249d11b680900dd0e1c89ca70949991d3fd26af6f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huhebul.exe

Filesize
645KB

MD5
ae08cb008a8ae453255d4d618cfbdf42

SHA1
f0a2c8701ac6dd0be57d53b185f7e4aa20ee7d3e

SHA256
6c2fc040a446040d3b6f685d6653195c773b26191632ae099add160043f6762a

SHA512
bbe477fee415604c889e81b5eb04b139c274cf90a63ff1762f7108d54a6a827a11f77b36b77aff989608249d11b680900dd0e1c89ca70949991d3fd26af6f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp

Filesize
647KB

MD5
4270dbd013c20301f33ffc251288aeac

SHA1
259df50f7edb378e18b3d532c1bf134541a106be

SHA256
d61c02a1f10ba2c40588df319905a819fe11a67ad9effe278674963e4f4ff05a

SHA512
4caf0f57a9591bfe8f7c015952c238a4f043f163315273f6d2f580b773ab6789c95c4c59e02da9375857ca569967f21ac6d1fc425b1b534dd99253a84385f79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA231.tmp

Filesize
647KB

MD5
4270dbd013c20301f33ffc251288aeac

SHA1
259df50f7edb378e18b3d532c1bf134541a106be

SHA256
d61c02a1f10ba2c40588df319905a819fe11a67ad9effe278674963e4f4ff05a

SHA512
4caf0f57a9591bfe8f7c015952c238a4f043f163315273f6d2f580b773ab6789c95c4c59e02da9375857ca569967f21ac6d1fc425b1b534dd99253a84385f79d

Download Submit
memory/1220-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1220-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2040-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2040-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5044-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5116-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5116-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download