58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a

Analysis

max time kernel
152s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe
Size

637KB
MD5

a302ebbb33d12c215ed1ad9e7817e370
SHA1

0fc0cc830c1c76779d3a4f1d4ea7511854b8c95e
SHA256

58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a
SHA512

9e5dfe8e4574d5b93d2933b105fbed16793d398f30aeb748f43e93703bb350bf778bcd60adc8ec9f8b8eb032cefd825812eeb680107627bd743fa07b86661ff6
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
396	bufoloi.exe
2380	~DFA22C.tmp
3664	kucyyyi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA22C.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe
3664	kucyyyi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	~DFA22C.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 396	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	82
PID 4424 wrote to memory of 396	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	82
PID 4424 wrote to memory of 396	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	82
PID 396 wrote to memory of 2380	396	bufoloi.exe	83
PID 396 wrote to memory of 2380	396	bufoloi.exe	83
PID 396 wrote to memory of 2380	396	bufoloi.exe	83
PID 4424 wrote to memory of 1940	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	84
PID 4424 wrote to memory of 1940	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	84
PID 4424 wrote to memory of 1940	4424	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	84
PID 2380 wrote to memory of 3664	2380	~DFA22C.tmp	88
PID 2380 wrote to memory of 3664	2380	~DFA22C.tmp	88
PID 2380 wrote to memory of 3664	2380	~DFA22C.tmp	88

C:\Users\Admin\AppData\Local\Temp\58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe
"C:\Users\Admin\AppData\Local\Temp\58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\bufoloi.exe
  C:\Users\Admin\AppData\Local\Temp\bufoloi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\kucyyyi.exe
      "C:\Users\Admin\AppData\Local\Temp\kucyyyi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
ba6d02b6c7bcb1c4c9b343a933de8c2a

SHA1
381e2ba5e41705aec4cd894a7a7a0d6ce984ae09

SHA256
00be712f57955bf0dce6a8d01f7ec312f6cdb3bc19998f36328d409798a2b376

SHA512
5f2fc6c2e2dad45a2c169ea49100e5500671e421bf27645c2e84735d30f85c1f2bda71e160ccce17334dc005eb6f4950abef0e3c659649b34c40f574bbe7537a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bufoloi.exe

Filesize
643KB

MD5
23fc4cb2ef03b43e87d49d2930144744

SHA1
85b2c2ddb3bfbbd83558ef9ffda9a413d4bc04c2

SHA256
502119c82198170fe9f696cb635ecaaca193ed6995a775b56b96d40ec346a4b1

SHA512
60025f6a7a897db194230653681004bc0aaca2ecfc3dff5d04a2d849a3ea14520127f232a1868bad13792fa65c6a6ceeda0bce52531e85ddb6147a3503440da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bufoloi.exe

Filesize
643KB

MD5
23fc4cb2ef03b43e87d49d2930144744

SHA1
85b2c2ddb3bfbbd83558ef9ffda9a413d4bc04c2

SHA256
502119c82198170fe9f696cb635ecaaca193ed6995a775b56b96d40ec346a4b1

SHA512
60025f6a7a897db194230653681004bc0aaca2ecfc3dff5d04a2d849a3ea14520127f232a1868bad13792fa65c6a6ceeda0bce52531e85ddb6147a3503440da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
daa1304a8cf5890bf5b7e97ef081623f

SHA1
c7cf4ec64e8bc6876d03619da3bca53438014c55

SHA256
e596fc7156fdcc5b180d17b8708b05f324c96a288a70d752db651c9ebd9dbcf1

SHA512
0a590cd24f72d0194fd1f4d71b9f57b206bdef598b14ca043364f11006a99d9ae745bcbfd3137f71d087a6ad5d1a0136dc5e82731ec59e8a093709bbefb850b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kucyyyi.exe

Filesize
403KB

MD5
06727512df4239eb53100d345ace8cbb

SHA1
5bdb1cf0e83b195d0a496005cfc17b0726a08820

SHA256
cae26b267018cbbeb14aa46bafc6ededeb004563590b22bfd3701498b3797fe6

SHA512
814cd90f406a3f420c9d42c7642de79a2849de5090a93878595b33c9ed37e76d899d05cd6a0945915af97efe68e40d09b1d26daf140083a644d4c65d27869396

Download Submit
C:\Users\Admin\AppData\Local\Temp\kucyyyi.exe

Filesize
403KB

MD5
06727512df4239eb53100d345ace8cbb

SHA1
5bdb1cf0e83b195d0a496005cfc17b0726a08820

SHA256
cae26b267018cbbeb14aa46bafc6ededeb004563590b22bfd3701498b3797fe6

SHA512
814cd90f406a3f420c9d42c7642de79a2849de5090a93878595b33c9ed37e76d899d05cd6a0945915af97efe68e40d09b1d26daf140083a644d4c65d27869396

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp

Filesize
649KB

MD5
2349fd9d28d22463c562647de1b9ad24

SHA1
bd6e2e96c75f7047787f3bcd87c36248661690bc

SHA256
4de27b1d0ea8985252380b781b8e0b7f4949cb8f048e01dbe8e50949ef83f0d1

SHA512
6537f1d19ce2ef5fda210a1835197fb9bd0edf7efa6fe28edb1bf7bb18406f0a6f61f5f17d960037b16ace66d5ad4fd38f8d19cd95f03b01d4d6c7dfbb682014

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA22C.tmp

Filesize
649KB

MD5
2349fd9d28d22463c562647de1b9ad24

SHA1
bd6e2e96c75f7047787f3bcd87c36248661690bc

SHA256
4de27b1d0ea8985252380b781b8e0b7f4949cb8f048e01dbe8e50949ef83f0d1

SHA512
6537f1d19ce2ef5fda210a1835197fb9bd0edf7efa6fe28edb1bf7bb18406f0a6f61f5f17d960037b16ace66d5ad4fd38f8d19cd95f03b01d4d6c7dfbb682014

Download Submit
memory/396-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2380-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3664-149-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4424-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4424-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download