d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
Size

646KB
MD5

6f01d3b1f9ecbc44872cc4c3b7fbbb50
SHA1

7c037c90249c220909c2fff9f583d9a4912b1d2a
SHA256

d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee
SHA512

845662c0bdc2b4afedbba1fad71ad6f6eb3cd783269ff451cae2156f06fa7303c0bcb0040172ec1c1be93852238551c2b39ab4e98d7be31e09d6d23ecf200b25
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5008	tuzeupv.exe
4016	~DFA228.tmp
928	muhucuk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA228.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe
928	muhucuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	~DFA228.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 5008	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	82
PID 2244 wrote to memory of 5008	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	82
PID 2244 wrote to memory of 5008	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	82
PID 5008 wrote to memory of 4016	5008	tuzeupv.exe	83
PID 5008 wrote to memory of 4016	5008	tuzeupv.exe	83
PID 5008 wrote to memory of 4016	5008	tuzeupv.exe	83
PID 2244 wrote to memory of 548	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	85
PID 2244 wrote to memory of 548	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	85
PID 2244 wrote to memory of 548	2244	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	85
PID 4016 wrote to memory of 928	4016	~DFA228.tmp	87
PID 4016 wrote to memory of 928	4016	~DFA228.tmp	87
PID 4016 wrote to memory of 928	4016	~DFA228.tmp	87

C:\Users\Admin\AppData\Local\Temp\d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
"C:\Users\Admin\AppData\Local\Temp\d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\tuzeupv.exe
  C:\Users\Admin\AppData\Local\Temp\tuzeupv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\muhucuk.exe
      "C:\Users\Admin\AppData\Local\Temp\muhucuk.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e75e581cee72b16aebdf48cfec6419fe

SHA1
d3db67bc98097e40f30b3cf2e078efcb82173cab

SHA256
ee612b1dc5478acc76e35961c4bd820f1e8173180a89102ccb60f58cfeedb98b

SHA512
671704f4eb925c917a31f897680c0522eedc27fd8d9014aa78c152d3ad3e38db979fc6c42fe8a74563a32accf22bad4f2df5430feae3034b3760087442249d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
329c5a54c252e8d6a6c388b5ff74f5f0

SHA1
ce1f7a485ceb4a8e3ddc05828bcbd1bd28ad5c8e

SHA256
3ba76f9ce767356b3f3d23051b495b380ef2572b7ab6499738bf346cd219ebdd

SHA512
8bfa11031e402377d09fc8fdcafb1e5191d42a2436406145d06a7a2a39745c97f49fdf2dad7e70094ba5bec8acacf91d45791890ef59d954fb7047b2d8ea9b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\muhucuk.exe

Filesize
409KB

MD5
ed0ae5e821d2c9798b48c71611df1ec3

SHA1
649fee6001e82cab12c4d19bcb4f6265daaa3227

SHA256
1fcd3cf109aee9f30045019a57a99d77be78bc3b1241b8c58a83318d1cbde2e6

SHA512
3a5f49732b1ce0b29e7febff91fe9098183f4a6b6c4bc9316cd9370a0204e376a28d25ff87bb303a66e1934902e09a22e803f493c2e9a4913f19fce158acc83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\muhucuk.exe

Filesize
409KB

MD5
ed0ae5e821d2c9798b48c71611df1ec3

SHA1
649fee6001e82cab12c4d19bcb4f6265daaa3227

SHA256
1fcd3cf109aee9f30045019a57a99d77be78bc3b1241b8c58a83318d1cbde2e6

SHA512
3a5f49732b1ce0b29e7febff91fe9098183f4a6b6c4bc9316cd9370a0204e376a28d25ff87bb303a66e1934902e09a22e803f493c2e9a4913f19fce158acc83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuzeupv.exe

Filesize
655KB

MD5
bdd9ff0c8eee2261585822ddbfac0a35

SHA1
3e2cefda568faf5117f7dcc7eca1a44d83d7ffd4

SHA256
87cfb05dd568eaa2ffd99d8f1127d024e9eb75988f016276e1fd239ccd4e3411

SHA512
cb5f101ed1bb61fa014b72e17aa916c06cbac7e2b444eaf3fe49d82abc07a0904f78fd1d946ad4b6ddd5913364cee66753d795f128f85924b6fc52aa6baa1bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuzeupv.exe

Filesize
655KB

MD5
bdd9ff0c8eee2261585822ddbfac0a35

SHA1
3e2cefda568faf5117f7dcc7eca1a44d83d7ffd4

SHA256
87cfb05dd568eaa2ffd99d8f1127d024e9eb75988f016276e1fd239ccd4e3411

SHA512
cb5f101ed1bb61fa014b72e17aa916c06cbac7e2b444eaf3fe49d82abc07a0904f78fd1d946ad4b6ddd5913364cee66753d795f128f85924b6fc52aa6baa1bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp

Filesize
658KB

MD5
d59fd636031dbe14eba32e306dc3cd4b

SHA1
702fb78c11056021963c8e8af7a387e90bba9756

SHA256
99fb48bd484534fe56e01130f674df6be3e89b6b7c62dc38222b9446671ec3a4

SHA512
b06176dd8e261432f5c40b6f1af481d6475193726cbda703dd1dd4896fea8e3fd31ded4dbdcc8c1ec0d4fe599c00d99000c211e41cc1930b4111f7bc6cc19dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp

Filesize
658KB

MD5
d59fd636031dbe14eba32e306dc3cd4b

SHA1
702fb78c11056021963c8e8af7a387e90bba9756

SHA256
99fb48bd484534fe56e01130f674df6be3e89b6b7c62dc38222b9446671ec3a4

SHA512
b06176dd8e261432f5c40b6f1af481d6475193726cbda703dd1dd4896fea8e3fd31ded4dbdcc8c1ec0d4fe599c00d99000c211e41cc1930b4111f7bc6cc19dc6

Download Submit
memory/928-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2244-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2244-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4016-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4016-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5008-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5008-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download