0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22

Analysis

max time kernel
176s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
Size

601KB
MD5

5b74956b9e58e44f86b882672967a5f0
SHA1

5e6a2d2686f72a4eecfd95a4a85a6097f46060a0
SHA256

0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22
SHA512

87e5961e97c4eff458a2ca2406144744516af5bc174e1e953e0ceeb0fa7eb5041873fc87022ca7c342cd76e3cdf47e9eb8ba073640f6a974a29ffdcf9baafc04
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2540	pyjogua.exe
5096	~DFA23D.tmp
2752	hubivuo.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA23D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe
2752	hubivuo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	~DFA23D.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2540	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	82
PID 2232 wrote to memory of 2540	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	82
PID 2232 wrote to memory of 2540	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	82
PID 2540 wrote to memory of 5096	2540	pyjogua.exe	83
PID 2540 wrote to memory of 5096	2540	pyjogua.exe	83
PID 2540 wrote to memory of 5096	2540	pyjogua.exe	83
PID 2232 wrote to memory of 5068	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	84
PID 2232 wrote to memory of 5068	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	84
PID 2232 wrote to memory of 5068	2232	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	84
PID 5096 wrote to memory of 2752	5096	~DFA23D.tmp	87
PID 5096 wrote to memory of 2752	5096	~DFA23D.tmp	87
PID 5096 wrote to memory of 2752	5096	~DFA23D.tmp	87

C:\Users\Admin\AppData\Local\Temp\0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
"C:\Users\Admin\AppData\Local\Temp\0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\pyjogua.exe
  C:\Users\Admin\AppData\Local\Temp\pyjogua.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\~DFA23D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA23D.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\hubivuo.exe
      "C:\Users\Admin\AppData\Local\Temp\hubivuo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
01ffb4c18f4ce85b82046d7ae17a1093

SHA1
0bdc813c485870312056a682494d442472f2e4e6

SHA256
35815e11f1a25b3f3c5b319517a13fa2a51cef7506793afa3960a1736659de07

SHA512
672eea9331a36dc546ee6d15ca2fc6079c0d4fa3b9449dfb09d1644c662bef32a76c156a02eacef365b8683a3ddaf1c61fce0cbd6f8d7d8f521fbbb4a4a36f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
5db8883ba1782f3d5df4e2dfc5f9cb92

SHA1
81c0b387f049e3e5edf753fa701a589426a4c018

SHA256
bff64fc1e446dae59db94b70f757f0272decbad71772da3b15c01e2b7ed49894

SHA512
98b3a688d0b060ba7359501a8f687f46a22dd3ceefc018a642de4407b2fcab25e9f2fd8d16e933c8417cdac184c0066482c7920bb405a95491f6cf233faea4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hubivuo.exe

Filesize
407KB

MD5
89e5bcaf08de10f09d88e50e7d74d672

SHA1
6bdf1074c97e0f4e443684ec3ed4058261a220c8

SHA256
24396b19055ff8efb4d4a7018be570665c650942448bd7716139469158a59c71

SHA512
f552e75e8595d0f5d052aee9b2e4337469631757801ef9c293b656873ddd226cdc71d10bd5312466650f316debd90b0a0e8f215c94ad4cbc323f967f7bbd4d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hubivuo.exe

Filesize
407KB

MD5
89e5bcaf08de10f09d88e50e7d74d672

SHA1
6bdf1074c97e0f4e443684ec3ed4058261a220c8

SHA256
24396b19055ff8efb4d4a7018be570665c650942448bd7716139469158a59c71

SHA512
f552e75e8595d0f5d052aee9b2e4337469631757801ef9c293b656873ddd226cdc71d10bd5312466650f316debd90b0a0e8f215c94ad4cbc323f967f7bbd4d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyjogua.exe

Filesize
604KB

MD5
dca648edc9d754d586df22e626a5679f

SHA1
e9af8b2725c8aa2ac545c87a3347c6ba02ed9964

SHA256
862ec9c0dbf5060a3edeaf46733257b132c850b884939935ac61ce4d52608518

SHA512
2d2732bfbeaefac10aa1ba4906373c5f0788484104fd4652c47e48324c510c9a5916fe972e1eebbe0ddd4fd58289c29f1fbc71cbee0763dbb0038859ab706045

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyjogua.exe

Filesize
604KB

MD5
dca648edc9d754d586df22e626a5679f

SHA1
e9af8b2725c8aa2ac545c87a3347c6ba02ed9964

SHA256
862ec9c0dbf5060a3edeaf46733257b132c850b884939935ac61ce4d52608518

SHA512
2d2732bfbeaefac10aa1ba4906373c5f0788484104fd4652c47e48324c510c9a5916fe972e1eebbe0ddd4fd58289c29f1fbc71cbee0763dbb0038859ab706045

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23D.tmp

Filesize
607KB

MD5
923964905b194cfe644f50d12be37b40

SHA1
16cbfaabfe2ec68c65d6e6ef67bb436e5f88e206

SHA256
99478c065b0baa3c9e60afc37d80013f9d21828c8ddbbb3bc8b17daa1f933567

SHA512
32600306d32c18f16e1132fc4ac8eb474cb01af758650911d0be90f597aa5227d3a5356de37ce839f7ae6529855da656c58a32ab0dd67a0e0c341da773ca7924

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA23D.tmp

Filesize
607KB

MD5
923964905b194cfe644f50d12be37b40

SHA1
16cbfaabfe2ec68c65d6e6ef67bb436e5f88e206

SHA256
99478c065b0baa3c9e60afc37d80013f9d21828c8ddbbb3bc8b17daa1f933567

SHA512
32600306d32c18f16e1132fc4ac8eb474cb01af758650911d0be90f597aa5227d3a5356de37ce839f7ae6529855da656c58a32ab0dd67a0e0c341da773ca7924

Download Submit
memory/2232-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2232-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2540-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2752-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2752-148-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5096-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download