15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
Size

633KB
MD5

737ecb53912b15bb0af81136411683c0
SHA1

5950bc5f39a2150be583834e9884fbfb2bdaec7b
SHA256

15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba
SHA512

f31927388c821e2fd28490859f683a0438e4fed2dce87329d8dbc80e13b69836fe9e0b73e62b50340f3da8f3aa50a924f68f57a5468618eb20a44b7c1ebf0c03
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4824	etmunow.exe
632	~DFA237.tmp
4736	futumuw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA237.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe
4736	futumuw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	~DFA237.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4824	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	84
PID 2740 wrote to memory of 4824	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	84
PID 2740 wrote to memory of 4824	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	84
PID 4824 wrote to memory of 632	4824	etmunow.exe	85
PID 4824 wrote to memory of 632	4824	etmunow.exe	85
PID 4824 wrote to memory of 632	4824	etmunow.exe	85
PID 2740 wrote to memory of 4436	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	86
PID 2740 wrote to memory of 4436	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	86
PID 2740 wrote to memory of 4436	2740	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	86
PID 632 wrote to memory of 4736	632	~DFA237.tmp	95
PID 632 wrote to memory of 4736	632	~DFA237.tmp	95
PID 632 wrote to memory of 4736	632	~DFA237.tmp	95

C:\Users\Admin\AppData\Local\Temp\15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
"C:\Users\Admin\AppData\Local\Temp\15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\etmunow.exe
  C:\Users\Admin\AppData\Local\Temp\etmunow.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\futumuw.exe
      "C:\Users\Admin\AppData\Local\Temp\futumuw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
572b5205275875ab613dbb85d4f68e14

SHA1
38e75dccd978d9950653fc671e4ad969fc0ca27b

SHA256
09ea0b352c8608033a0fa24f93d31bcb600d7bdb15aae8d4b92ec60dcf6fffcb

SHA512
13eb9b9ab04a07c515a3a881892c0e768745cb9ffa1264eda28fac0202dd8804de3412496805229aec0c7d63ce27dbbcdde34866eb8608c7261805264e0c9670

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmunow.exe

Filesize
640KB

MD5
802740862f2f89f366bb156fb274dd1d

SHA1
bffdfbc8696af486b592a16277ba8e082cb5ca6d

SHA256
2da11e432382bd46fdf0b04143243aebe6eba8c40c3a614b2af9454710f81c3b

SHA512
8749b18ee31af232b0ea5aea2be0aceb0802c737a9abb9e8efdb4dd066831ed4432af597facf333d489062c34520114f6e12d1d39151057d0c18e115f9d2d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmunow.exe

Filesize
640KB

MD5
802740862f2f89f366bb156fb274dd1d

SHA1
bffdfbc8696af486b592a16277ba8e082cb5ca6d

SHA256
2da11e432382bd46fdf0b04143243aebe6eba8c40c3a614b2af9454710f81c3b

SHA512
8749b18ee31af232b0ea5aea2be0aceb0802c737a9abb9e8efdb4dd066831ed4432af597facf333d489062c34520114f6e12d1d39151057d0c18e115f9d2d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\futumuw.exe

Filesize
377KB

MD5
2cbb859626ffa9de6ce53f1fd6992e6b

SHA1
1f8af5ef2b308b536e81bbb2cf0f3c14730fe1f5

SHA256
0a0153bda91c9e1227a129a450ac22bb55a232d13c46a5435e1fdfd3acbe83d0

SHA512
0cf1e85d829aec22f3122da0be73ee4449d8b68651e148156769f4bc3370a39668e666ebea361d3aad7d0f720a46e654f5359dd380231f9a4c4e6477a60ecf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\futumuw.exe

Filesize
377KB

MD5
2cbb859626ffa9de6ce53f1fd6992e6b

SHA1
1f8af5ef2b308b536e81bbb2cf0f3c14730fe1f5

SHA256
0a0153bda91c9e1227a129a450ac22bb55a232d13c46a5435e1fdfd3acbe83d0

SHA512
0cf1e85d829aec22f3122da0be73ee4449d8b68651e148156769f4bc3370a39668e666ebea361d3aad7d0f720a46e654f5359dd380231f9a4c4e6477a60ecf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
88a92b31b35abd0b7bddd8471bfead8b

SHA1
c6ae6afd7c60e3c5c7ecab10789bdb6117fba057

SHA256
f05a506d84f0459abc6030ee3a54e9f25de0003c41e99c11f025f7f0c1d42a02

SHA512
0f178a11ed428701da78be59a40a8a30a0397c1ea0cafd4d4570e72c3706df887c8b1439dd9ca39dca0815fd61fb3a271a7de543514e842eae10d20e7e566f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp

Filesize
648KB

MD5
13669e680ad2b345a9a92be904ffc484

SHA1
9ac3dd5c1c19a61e2d451923fa051282ba73108c

SHA256
159c94d4310472939fee27abdab24f4b3a4a53bd8eb12e94720c355b9651d14d

SHA512
e9e498335ad16a8e7764bc993819e3f13bc3aba50b74c9e3bc035d95c1caf27be3bd2b4e1b7b6ccf9ae408935cf2d33d851d1c7b916819ea6a7207c4d09d0e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA237.tmp

Filesize
648KB

MD5
13669e680ad2b345a9a92be904ffc484

SHA1
9ac3dd5c1c19a61e2d451923fa051282ba73108c

SHA256
159c94d4310472939fee27abdab24f4b3a4a53bd8eb12e94720c355b9651d14d

SHA512
e9e498335ad16a8e7764bc993819e3f13bc3aba50b74c9e3bc035d95c1caf27be3bd2b4e1b7b6ccf9ae408935cf2d33d851d1c7b916819ea6a7207c4d09d0e74

Download Submit
memory/632-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2740-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2740-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4736-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4736-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4824-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4824-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download