4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39

Analysis

max time kernel
178s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
Size

654KB
MD5

5374d956a84e3f6ebcf184a0ce91b880
SHA1

cd7baab7d897de1d61dbd45fd6e114ff7757ca5b
SHA256

4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39
SHA512

c13fb7372d0388a69a2861cf1dcc1197f3a4e0b06854866c1b831a557c70768e562642350f9422bed2be1b643683599d594f5c1c7caf1ce476cab6fd06c727bd
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4332	ynmomup.exe
2108	~DFA249.tmp
3548	henyuka.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA249.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe
3548	henyuka.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	~DFA249.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4332	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	81
PID 3444 wrote to memory of 4332	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	81
PID 3444 wrote to memory of 4332	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	81
PID 4332 wrote to memory of 2108	4332	ynmomup.exe	84
PID 4332 wrote to memory of 2108	4332	ynmomup.exe	84
PID 4332 wrote to memory of 2108	4332	ynmomup.exe	84
PID 3444 wrote to memory of 2992	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	85
PID 3444 wrote to memory of 2992	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	85
PID 3444 wrote to memory of 2992	3444	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	85
PID 2108 wrote to memory of 3548	2108	~DFA249.tmp	87
PID 2108 wrote to memory of 3548	2108	~DFA249.tmp	87
PID 2108 wrote to memory of 3548	2108	~DFA249.tmp	87

C:\Users\Admin\AppData\Local\Temp\4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
"C:\Users\Admin\AppData\Local\Temp\4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\ynmomup.exe
  C:\Users\Admin\AppData\Local\Temp\ynmomup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\~DFA249.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA249.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\henyuka.exe
      "C:\Users\Admin\AppData\Local\Temp\henyuka.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e48944954074b1d2e17502832e511b17

SHA1
c7c91e4e79a6bad4364726d859b33c69bcc5543f

SHA256
932138b3d6e0acf3eda6f5227be388c2f26f594ac0ad777e588e77f91d4c9b6a

SHA512
fb14b1844dcba4c724adfe3dfcb34c9f9173ef97079e5e32b32a3516d74d2ad0ef59f01d0a994bea12a0da22240f8a79fd1e9773dfae57f65c33fd981b9820fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
05b066d4c5e7a5872f9993918785a617

SHA1
9398e7288c3621c13f5f8c357f916083b12b677b

SHA256
9730fbf890b947c16afcaafc9e3436dfab648532170a2e1d55309079ca2c1949

SHA512
f917866aa2cb992160d300aff59ee6b4f6feb0c77953ef2d5f8a8ccc48246a7fa75c6260d3f499288876baebf409c82faebe4dd4947fe4622c125854fb78efd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\henyuka.exe

Filesize
373KB

MD5
adf2c1f62105c5476418e56ac58dd3f9

SHA1
3b9eb29a3c87ae96d91e1e3bd6d3e115c96bf4fc

SHA256
6e3200f2eb0d8821565cb32f4e08e2424b119e58e39da1b04327f23a81463529

SHA512
4443d7a9bcb8e22d282326a7a1531f7b8a7824174a5eb1c8ff48e71b7f1aca1e44a13702bb1913a8ef29218f94806af3893199138af4e1dd285f6e179e56092d

Download Submit
C:\Users\Admin\AppData\Local\Temp\henyuka.exe

Filesize
373KB

MD5
adf2c1f62105c5476418e56ac58dd3f9

SHA1
3b9eb29a3c87ae96d91e1e3bd6d3e115c96bf4fc

SHA256
6e3200f2eb0d8821565cb32f4e08e2424b119e58e39da1b04327f23a81463529

SHA512
4443d7a9bcb8e22d282326a7a1531f7b8a7824174a5eb1c8ff48e71b7f1aca1e44a13702bb1913a8ef29218f94806af3893199138af4e1dd285f6e179e56092d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynmomup.exe

Filesize
657KB

MD5
56f6b331c68b005e05d581be8a98798d

SHA1
9276f4acb6ae554c6220cc1446ba040f723a8411

SHA256
37ea2ac59aeedf9a06b101abba6eb072f743edab4da40ae754a37f090b1b519c

SHA512
fed3e588a705c4282072ad32277ae7818037af050f2d21beab3c258732875b6b95c4d35b985e572fce62e3ca79085e2452fa2be4d34891d713e2e6c297805ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynmomup.exe

Filesize
657KB

MD5
56f6b331c68b005e05d581be8a98798d

SHA1
9276f4acb6ae554c6220cc1446ba040f723a8411

SHA256
37ea2ac59aeedf9a06b101abba6eb072f743edab4da40ae754a37f090b1b519c

SHA512
fed3e588a705c4282072ad32277ae7818037af050f2d21beab3c258732875b6b95c4d35b985e572fce62e3ca79085e2452fa2be4d34891d713e2e6c297805ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA249.tmp

Filesize
662KB

MD5
946d11aa8c3247205adfc50bcea13147

SHA1
3d571bee3cafb78dba2dd7666481fa55e6391190

SHA256
03f4fb1e102ab7a0978185062ca5e040d850c1be3e67cc1becc48454422f7d02

SHA512
2b21a2104d411bd541cdb00fdbb63ca15a2b9e6c443da837a21b6a84cdd8b7914db638cc41372c48f1416c5ca35ee277cf18dc169a1b4838128450d86600738b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA249.tmp

Filesize
662KB

MD5
946d11aa8c3247205adfc50bcea13147

SHA1
3d571bee3cafb78dba2dd7666481fa55e6391190

SHA256
03f4fb1e102ab7a0978185062ca5e040d850c1be3e67cc1becc48454422f7d02

SHA512
2b21a2104d411bd541cdb00fdbb63ca15a2b9e6c443da837a21b6a84cdd8b7914db638cc41372c48f1416c5ca35ee277cf18dc169a1b4838128450d86600738b

Download Submit
memory/2108-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2108-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3444-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3444-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3548-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3548-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4332-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4332-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download