7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe
Size

663KB
MD5

2c25c341d50f742b19822eedac3472f0
SHA1

b5fb4409efa323f726822759763f20766a26ee32
SHA256

7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240
SHA512

5e4841330abf445e3b33f0ef131443dc29549b22e08bc3428966eab28c0131420854fb54d515682a8ead254c3ea477e83d8694123663195c0e761602a013e3b8
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4568	ujkoxyr.exe
2356	~DFA225.tmp
1432	cianlyr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA225.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe
1432	cianlyr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	~DFA225.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4568	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	80
PID 2040 wrote to memory of 4568	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	80
PID 2040 wrote to memory of 4568	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	80
PID 4568 wrote to memory of 2356	4568	ujkoxyr.exe	81
PID 4568 wrote to memory of 2356	4568	ujkoxyr.exe	81
PID 4568 wrote to memory of 2356	4568	ujkoxyr.exe	81
PID 2040 wrote to memory of 3320	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	83
PID 2040 wrote to memory of 3320	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	83
PID 2040 wrote to memory of 3320	2040	7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe	83
PID 2356 wrote to memory of 1432	2356	~DFA225.tmp	85
PID 2356 wrote to memory of 1432	2356	~DFA225.tmp	85
PID 2356 wrote to memory of 1432	2356	~DFA225.tmp	85

C:\Users\Admin\AppData\Local\Temp\7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe
"C:\Users\Admin\AppData\Local\Temp\7974c53cae2295ae394094b9e6710912411abf654597db71979ed9f3eaefb240.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\ujkoxyr.exe
  C:\Users\Admin\AppData\Local\Temp\ujkoxyr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\~DFA225.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA225.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\cianlyr.exe
      "C:\Users\Admin\AppData\Local\Temp\cianlyr.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
49c4eaf70efa7742168bb86cd5c1e490

SHA1
5bc3972e4abff413329b409a4f008cb767d1bb16

SHA256
8c6fb2fea5a17228420a5d58de64aff3d8323508e3016cc40bf04384aa120d54

SHA512
44e539935fd3a78b975623e688fbf59021ce80daf64edf401b5d566c69050cd1a7c1e64f29968880fc51b87eb1c508cbe3df32c120b3553fe434d0c1c795736b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cianlyr.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cianlyr.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6e808dc6dfbf5c6af7a6e8a74332d2e9

SHA1
b4167d229d8d16caeb9db9debd2241cd36fa2673

SHA256
614d86cce04f52871a521834cb9ea4697708e0696effead11993752087add15f

SHA512
ddbba19cc3dff82f9e3b945ef62db46f53fadc5f8a4b01a5640fd0db6fbed8ec20dbcd5cca370e321908f3bc4a4c726ef85b7899c069b29187343eb1606ce5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujkoxyr.exe

Filesize
671KB

MD5
4c2acdac07705518c02761242c0c1ad8

SHA1
ba53e1935f9d52b8b2329086cfa5af0eee7bfdab

SHA256
88c3b919ab693231c9853a602731035d34f5db2a689f7c8d658616be37f8b261

SHA512
7f94177800a499ab25ef7d1f3f3cf79a1f34ec545fe747d4fac995c56b15dc6c0216919f116dedc7de6df5a13bb9a9689f94bc02ef920f4dc4cfc11237a8966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujkoxyr.exe

Filesize
671KB

MD5
4c2acdac07705518c02761242c0c1ad8

SHA1
ba53e1935f9d52b8b2329086cfa5af0eee7bfdab

SHA256
88c3b919ab693231c9853a602731035d34f5db2a689f7c8d658616be37f8b261

SHA512
7f94177800a499ab25ef7d1f3f3cf79a1f34ec545fe747d4fac995c56b15dc6c0216919f116dedc7de6df5a13bb9a9689f94bc02ef920f4dc4cfc11237a8966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA225.tmp

Filesize
680KB

MD5
cbf20f0c891ea7ec137d260939fbeda9

SHA1
354f365d3eb3926922e4f06de96bc271d75a2fe9

SHA256
15cf264a5ecf7f055eaa2500a41dae969788fce5a868e7e85c8e653d1f7c62ce

SHA512
ca7e0d403001cae6f88199a927cd0d2e2f2deef564f0a7e070fa81078f64f371204a542b598e5442063129c236cdd16e39b0bffa7cecf7cfceb33c0e70fdcb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA225.tmp

Filesize
680KB

MD5
cbf20f0c891ea7ec137d260939fbeda9

SHA1
354f365d3eb3926922e4f06de96bc271d75a2fe9

SHA256
15cf264a5ecf7f055eaa2500a41dae969788fce5a868e7e85c8e653d1f7c62ce

SHA512
ca7e0d403001cae6f88199a927cd0d2e2f2deef564f0a7e070fa81078f64f371204a542b598e5442063129c236cdd16e39b0bffa7cecf7cfceb33c0e70fdcb1c

Download Submit
memory/1432-148-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1432-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2040-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2040-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2356-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4568-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download