89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe
Size

660KB
MD5

82e8853db083da0b6eead7a7b79304d0
SHA1

121003898e223e68da72023fd3b5a3347b327c41
SHA256

89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222
SHA512

d33e0ed016cff1de99d863166b2e22da2e88636dc7820bb59f5ec60ad5c85d8e8fda58efe31571efd6af8e81d9f9e74cfdc32fa746226c1027302f76a1860cf8
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
828	wiifwoc.exe
4116	~DFA228.tmp
212	puujjoc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA228.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe
212	puujjoc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	~DFA228.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 828	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	82
PID 4800 wrote to memory of 828	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	82
PID 4800 wrote to memory of 828	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	82
PID 828 wrote to memory of 4116	828	wiifwoc.exe	83
PID 828 wrote to memory of 4116	828	wiifwoc.exe	83
PID 828 wrote to memory of 4116	828	wiifwoc.exe	83
PID 4800 wrote to memory of 860	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	84
PID 4800 wrote to memory of 860	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	84
PID 4800 wrote to memory of 860	4800	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	84
PID 4116 wrote to memory of 212	4116	~DFA228.tmp	87
PID 4116 wrote to memory of 212	4116	~DFA228.tmp	87
PID 4116 wrote to memory of 212	4116	~DFA228.tmp	87

C:\Users\Admin\AppData\Local\Temp\89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe
"C:\Users\Admin\AppData\Local\Temp\89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\wiifwoc.exe
  C:\Users\Admin\AppData\Local\Temp\wiifwoc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\puujjoc.exe
      "C:\Users\Admin\AppData\Local\Temp\puujjoc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
2ef138429baa9a94867f3034a96e35da

SHA1
1a62d7bc5cbbb152f03e7c78fb3a8a48af571da0

SHA256
14a847644ece38b4af7145f1f788be0c9e70bbe9f7c5318717bcc5441e18e8e5

SHA512
5b028e64bc3bd4a2369e0e9e4703f5b4a2cd3191060a0be867ce92d270fd08626370d528ddd308d2baacd50edf5f6bc980fe1275a3c0118c08f71b6b00269b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
77a4c394a55d94eb6cdca48ef4592555

SHA1
33309e8a3c358003f995bd73583c7eb689417144

SHA256
9d2f4655443fde3708a4e305f29d9bbe9fcfe2269c431e712714a49ce2480eaf

SHA512
01b1c6e78f095706308c2ac5b068f852858d1f2fee8702f90963bfdca375c3000b91c09ef04784eef825dd72613daaac4c01e586e371cf881eeb653c2ba043c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\puujjoc.exe

Filesize
396KB

MD5
a63fb90fe0f4bce98241f7b62c0d33e0

SHA1
a4f84eb25085c2b2ef90f9d22992d8a6b9ca9e51

SHA256
e450f520e570439dc44125561dee13d8b06be5297218dd436ce55b26ba5210bf

SHA512
aa5a3401f901310524bc56e4bce5cc9dd21969e7b32b66a49618c312428a79f756f1a375a12cdb571de158840d08d8d1f17de0feb63fa194e3a8e0a6201dd847

Download Submit
C:\Users\Admin\AppData\Local\Temp\puujjoc.exe

Filesize
396KB

MD5
a63fb90fe0f4bce98241f7b62c0d33e0

SHA1
a4f84eb25085c2b2ef90f9d22992d8a6b9ca9e51

SHA256
e450f520e570439dc44125561dee13d8b06be5297218dd436ce55b26ba5210bf

SHA512
aa5a3401f901310524bc56e4bce5cc9dd21969e7b32b66a49618c312428a79f756f1a375a12cdb571de158840d08d8d1f17de0feb63fa194e3a8e0a6201dd847

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiifwoc.exe

Filesize
660KB

MD5
50f9ffd77395f3d27a10c0f24ed0ead2

SHA1
185d571ad35a98b188d0030f2660fe8a543c3d92

SHA256
fb0149742e9eac1825498d3879e97a50f91197f7d236c39276f971228b1575ea

SHA512
4eac59faeec213fd47f991eff05d1b458788f0577e39858b92f66babff0bc4b789d3f393c20065b1ebcdf32217bc46e8a56c3a97d0d0ae0a2337af9f2a4845e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiifwoc.exe

Filesize
660KB

MD5
50f9ffd77395f3d27a10c0f24ed0ead2

SHA1
185d571ad35a98b188d0030f2660fe8a543c3d92

SHA256
fb0149742e9eac1825498d3879e97a50f91197f7d236c39276f971228b1575ea

SHA512
4eac59faeec213fd47f991eff05d1b458788f0577e39858b92f66babff0bc4b789d3f393c20065b1ebcdf32217bc46e8a56c3a97d0d0ae0a2337af9f2a4845e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp

Filesize
663KB

MD5
b62221d4fb4553b89f095c19f9749743

SHA1
33996698f46e8d2ed20ac0ad6979a19ff8763363

SHA256
e9c11975d7194ddf003834b231b04bdaa206f241eeb4933c53dcf4bb4b63a888

SHA512
0af809d91c27b0b44be1af094fe78d561bda610bce9d82e5ac0b187c9f6b4375d54e32060f959dc10ca60033f8c602316662e687e73d89bef754f28161de01a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA228.tmp

Filesize
663KB

MD5
b62221d4fb4553b89f095c19f9749743

SHA1
33996698f46e8d2ed20ac0ad6979a19ff8763363

SHA256
e9c11975d7194ddf003834b231b04bdaa206f241eeb4933c53dcf4bb4b63a888

SHA512
0af809d91c27b0b44be1af094fe78d561bda610bce9d82e5ac0b187c9f6b4375d54e32060f959dc10ca60033f8c602316662e687e73d89bef754f28161de01a2

Download Submit
memory/212-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/212-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/828-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/828-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4116-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4800-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4800-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download