2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe
Size

658KB
MD5

42267d35196bca7e428739d8f6ca8080
SHA1

8134a2471d1ef28161395311fd48bf1882da6fe7
SHA256

2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d
SHA512

efa40f70f3aa0c645a2fff427d7accfc685374faadb5ed10cbd35be8d661304830a6005306f938f65a5dae3d15d5c4ff2c2a338ac7ff27c576d855c0fe3cf9b9
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5040	juyhjol.exe
1252	~DFA265.tmp
4544	fifulol.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA265.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe
4544	fifulol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	~DFA265.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 5040	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	80
PID 912 wrote to memory of 5040	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	80
PID 912 wrote to memory of 5040	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	80
PID 5040 wrote to memory of 1252	5040	juyhjol.exe	81
PID 5040 wrote to memory of 1252	5040	juyhjol.exe	81
PID 5040 wrote to memory of 1252	5040	juyhjol.exe	81
PID 912 wrote to memory of 4940	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	82
PID 912 wrote to memory of 4940	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	82
PID 912 wrote to memory of 4940	912	2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe	82
PID 1252 wrote to memory of 4544	1252	~DFA265.tmp	92
PID 1252 wrote to memory of 4544	1252	~DFA265.tmp	92
PID 1252 wrote to memory of 4544	1252	~DFA265.tmp	92

C:\Users\Admin\AppData\Local\Temp\2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe
"C:\Users\Admin\AppData\Local\Temp\2f5c418c2b1e76a845adb9786e7db59878baab46add954e95d0a00850cf75f5d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\juyhjol.exe
  C:\Users\Admin\AppData\Local\Temp\juyhjol.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\fifulol.exe
      "C:\Users\Admin\AppData\Local\Temp\fifulol.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
4a499d54359cc4a92df25856dbe43b73

SHA1
18f5e0f9af466378c16d0ab0a545640847dd0a10

SHA256
898e738050db5605fc8b10435ab0face2daa1c8fed401d77562fc3b3f2800661

SHA512
f1d871b87dc14ba0998acd0d2253d1fa557675c83d5042671377547a25b8ff034963720011d4350160f5d65dad966b20b3f7dd63490c8772eb33ecf0b862617f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fifulol.exe

Filesize
371KB

MD5
43501e3db30594932f62e9ca7aac0a96

SHA1
56d87666c5042f2986e59e6500cf93d058f8391c

SHA256
c942441c31b8ca811ff9d3ca76c6b106d94386fad8cc9b9b78fcb5a3c235844c

SHA512
740f7c08b7238110afdb97b743d9305bcebcbbb3db91f9dd7a19347633851648397814ec45b13ca72d0ba4745df3a38b1f5809f46a95fdf6ea31a273abf0554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fifulol.exe

Filesize
371KB

MD5
43501e3db30594932f62e9ca7aac0a96

SHA1
56d87666c5042f2986e59e6500cf93d058f8391c

SHA256
c942441c31b8ca811ff9d3ca76c6b106d94386fad8cc9b9b78fcb5a3c235844c

SHA512
740f7c08b7238110afdb97b743d9305bcebcbbb3db91f9dd7a19347633851648397814ec45b13ca72d0ba4745df3a38b1f5809f46a95fdf6ea31a273abf0554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b461f168fb3629e39e4136c3aafd79b7

SHA1
6dd104b7f3ceda85fee65dbd4087c66ad811a2f0

SHA256
580a157e14e96815569dc9e49bb89ed3ef7eae37b6a6882f1914eda30652fc75

SHA512
e8b035bd46b2456be6052a4f596d3c07ea5ac16300744f1249ddcbfd8e7c4c33bae061644e60cb554a5c1b88c694b38dc7f9fb1506acbe05a0886df7180d7031

Download Submit
C:\Users\Admin\AppData\Local\Temp\juyhjol.exe

Filesize
660KB

MD5
ffa412cd6c52702fb4589f632e72f9ba

SHA1
90ab49816debbf19635739f6bc678d04cf88dd8a

SHA256
33724025b7674dccfcb621d9cccb3ab6819021e6512b438ca39de6347363e2ba

SHA512
087bba5460aad242bc52ccb8e4a338373ccc46d325e6369a2f6dbf0f98581104b8c81896831190149852026b22215e2851edf4a2ffadaaa9f5151f8e3da40a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\juyhjol.exe

Filesize
660KB

MD5
ffa412cd6c52702fb4589f632e72f9ba

SHA1
90ab49816debbf19635739f6bc678d04cf88dd8a

SHA256
33724025b7674dccfcb621d9cccb3ab6819021e6512b438ca39de6347363e2ba

SHA512
087bba5460aad242bc52ccb8e4a338373ccc46d325e6369a2f6dbf0f98581104b8c81896831190149852026b22215e2851edf4a2ffadaaa9f5151f8e3da40a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp

Filesize
663KB

MD5
02963ea3acd493121be45317339bf04c

SHA1
7b23d8f19e6103f036a0f1ae66d53f7341dcb5dc

SHA256
db43aff72666c2bd9c4ec7a1d45ff6fa54fc33f9c0c03a57578a768e2d6af887

SHA512
6d3e630ff7bfc8bcd494b13f861b5be783ff392f8276bee4d64dad8da863b7055b5ee78fa145b465d987c7ea624296971b6d41cea3e2a8d19baafc2a9af9a89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA265.tmp

Filesize
663KB

MD5
02963ea3acd493121be45317339bf04c

SHA1
7b23d8f19e6103f036a0f1ae66d53f7341dcb5dc

SHA256
db43aff72666c2bd9c4ec7a1d45ff6fa54fc33f9c0c03a57578a768e2d6af887

SHA512
6d3e630ff7bfc8bcd494b13f861b5be783ff392f8276bee4d64dad8da863b7055b5ee78fa145b465d987c7ea624296971b6d41cea3e2a8d19baafc2a9af9a89d

Download Submit
memory/912-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1252-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1252-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4544-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4544-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5040-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5040-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download