33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe
Size

136KB
MD5

80a52153dab01570173074f4e0d03340
SHA1

d68e4d7860fa01309a7d1c3328382d4df56338ee
SHA256

33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37
SHA512

da8b7f76512524d7fd0111326cd6f2972ffc9beea392192160a5fc5edcbe6bc53f5fc990c27d8cfac10f6a852cd6f8154c3d76fcafcd38c2f4c1bb9cce8599c2
SSDEEP

1536:IqeuKPdWHdPEzoT2/VhWbnoZSKLfiGGPgq3ePAHuO65xCtGpda:IBPdWqV0CvL6GG0O65UYpda

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3132	huter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3132	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	80
PID 5048 wrote to memory of 3132	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	80
PID 5048 wrote to memory of 3132	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	80
PID 5048 wrote to memory of 808	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	82
PID 5048 wrote to memory of 808	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	82
PID 5048 wrote to memory of 808	5048	33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe	82

C:\Users\Admin\AppData\Local\Temp\33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe
"C:\Users\Admin\AppData\Local\Temp\33d67b98c16ab74df86f772c7eb11a5c530264b705498070fd7177cedde2ed37.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24daf3248dd1530974b7a8dbc2503fb6

SHA1
02dec78aed15451b27112fdcc44e38aff89483cc

SHA256
88daaa580db10aaced533f890a22e281b10bcdefdaf64456e958a2c02a7bbad1

SHA512
413a51b5315db2fdccb89536b406459baa7fa7547df5c28ee1bcfdaa05440534a7cdb9957de42f8933a703f262105aed37dc5569e07a3b14c2ecfbf0e928f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
136KB

MD5
7a3c10e1848e10a9a22052891e1264fd

SHA1
b298b3daeab65c50ed79cff3105b5aed21dceeaa

SHA256
c3624aa43d3a962b5641b97bdeee8db9e5cfea412b680c4955be3d2527c23ecb

SHA512
a0fa12bf649389532d3e5baebd3cb8deca62032f674c8300346c0fec0306dd23b00035e6b385f72a8b788f2ac7cbe0b7b804c61f1c2f278c2b1374e003ffbea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
136KB

MD5
7a3c10e1848e10a9a22052891e1264fd

SHA1
b298b3daeab65c50ed79cff3105b5aed21dceeaa

SHA256
c3624aa43d3a962b5641b97bdeee8db9e5cfea412b680c4955be3d2527c23ecb

SHA512
a0fa12bf649389532d3e5baebd3cb8deca62032f674c8300346c0fec0306dd23b00035e6b385f72a8b788f2ac7cbe0b7b804c61f1c2f278c2b1374e003ffbea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
c5cf2b326585ed56e20872ef81453ecc

SHA1
9e2c17e54ccf1fcf8d01158439de2b4f524ea3eb

SHA256
3ac2e81ac569c637bd5f0dc71cc890792c691ecc59654e0b29548a2cd4a2bbd4

SHA512
df592704e32b71a57359f02d2016e5ff7eff2f0592d4ebc192a3c3553d139e9cc717a1ccb9fdb2b0c40adb0f9fbc66b16086d1f9cb339c8f818849d70e25c6ac

Download Submit