71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
Size

676KB
MD5

09a9476fcef04898eaae48d5f7e737e0
SHA1

6f849f53d358947b48ea928cda82c9103b9e1104
SHA256

71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1
SHA512

3c1d92babee6af1bd655258d9d0230480cddcffb3c366eb890c372915c0426a55a49085dc18335f3051cf373b7a129cf2f893d51aa83009a39f65a44fb052fd5
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4056	nyufupq.exe
5012	~DFA236.tmp
1960	gutyhyq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA236.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe
1960	gutyhyq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	~DFA236.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 4056	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	80
PID 616 wrote to memory of 4056	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	80
PID 616 wrote to memory of 4056	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	80
PID 4056 wrote to memory of 5012	4056	nyufupq.exe	81
PID 4056 wrote to memory of 5012	4056	nyufupq.exe	81
PID 4056 wrote to memory of 5012	4056	nyufupq.exe	81
PID 616 wrote to memory of 5048	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	82
PID 616 wrote to memory of 5048	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	82
PID 616 wrote to memory of 5048	616	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	82
PID 5012 wrote to memory of 1960	5012	~DFA236.tmp	92
PID 5012 wrote to memory of 1960	5012	~DFA236.tmp	92
PID 5012 wrote to memory of 1960	5012	~DFA236.tmp	92

C:\Users\Admin\AppData\Local\Temp\71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
"C:\Users\Admin\AppData\Local\Temp\71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\nyufupq.exe
  C:\Users\Admin\AppData\Local\Temp\nyufupq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\gutyhyq.exe
      "C:\Users\Admin\AppData\Local\Temp\gutyhyq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
90dcaf8bf6553cf4221d60e44395bb9c

SHA1
1e927acd95fcf6220c5f051bff3a4b131a0278ab

SHA256
a1262f359bd1849bf3f71c9f171e38a80e95eb55b22a8565250f0aa6c1064608

SHA512
12b4dcb437de52ccbf55d1714a77c7a0403eb55d03af1e06b13f78b8cf7e328507c2c76732c8449abb211fcd14ca9132ae1d35cc21e74641c75468f83e1093bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
7979600ee7e91dffa210831e43d2e68a

SHA1
921f0d6c8cfe0695179456e69c0ab1b7ec5e82a5

SHA256
1efa5b57c4988bdea4da88075a961ffff0c31a93e00b853c6aae5d24aa405c47

SHA512
eb26c30aa0642e5f0f36fff9beabd67c82734a719ffcaf101694a9aeab373e8adc976b9f62ee7958697c25027342a7de4e3d5bb180a8a6987a9d7eff56196a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gutyhyq.exe

Filesize
380KB

MD5
c11b428ec4c657b55d0d41c6bc42d35c

SHA1
d158d5caaa6eb78f1392ef172bc488ee81a91ad0

SHA256
b8a7638ee406b6b956f461d4ac3db8c54cbe6379d796de4c4895b55892efeb70

SHA512
5efab05b905ed98f561295622e6a6c7067d4e395797b069b3d74544c53533cc07f64b2276502fa601beec14428cfb386bb9480be762f5860fe59f40da70c3ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gutyhyq.exe

Filesize
380KB

MD5
c11b428ec4c657b55d0d41c6bc42d35c

SHA1
d158d5caaa6eb78f1392ef172bc488ee81a91ad0

SHA256
b8a7638ee406b6b956f461d4ac3db8c54cbe6379d796de4c4895b55892efeb70

SHA512
5efab05b905ed98f561295622e6a6c7067d4e395797b069b3d74544c53533cc07f64b2276502fa601beec14428cfb386bb9480be762f5860fe59f40da70c3ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyufupq.exe

Filesize
682KB

MD5
24ba7f032f722ecf6b8c518973709085

SHA1
83cab3b9f89febcd7f41091bc151d8e46f0ed803

SHA256
67188dd5cc9d7a28cd524c8fdeaf6a6a7ba464a01123d58e6344b1f620ab1adc

SHA512
35518645db7951a5c4e48ab2f8842ced450cb80a39654033a82f82501d8ecd650411cc6b20119573953e623f5f3ea044ad2f761630a0545a181018c2185e9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyufupq.exe

Filesize
682KB

MD5
24ba7f032f722ecf6b8c518973709085

SHA1
83cab3b9f89febcd7f41091bc151d8e46f0ed803

SHA256
67188dd5cc9d7a28cd524c8fdeaf6a6a7ba464a01123d58e6344b1f620ab1adc

SHA512
35518645db7951a5c4e48ab2f8842ced450cb80a39654033a82f82501d8ecd650411cc6b20119573953e623f5f3ea044ad2f761630a0545a181018c2185e9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
689KB

MD5
c611283d0ab7a94cf4e0c8ae35787fcd

SHA1
ee7a511702e3b0aa58e5b9f8aa52d11a7112a5f0

SHA256
ef1071e6c4d46a7ccdbc9a4a84172e8df594029f95d0431e205ce1e4860b0d4f

SHA512
427f8972478a0c72e5fbf37b6349292cd58c5e7acdd41ecdeac3d4d14bd4cee95254931b8cda7fb5d8f323948d3e6a2ddfd7b1a63b0232b0aadc7482faac1bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp

Filesize
689KB

MD5
c611283d0ab7a94cf4e0c8ae35787fcd

SHA1
ee7a511702e3b0aa58e5b9f8aa52d11a7112a5f0

SHA256
ef1071e6c4d46a7ccdbc9a4a84172e8df594029f95d0431e205ce1e4860b0d4f

SHA512
427f8972478a0c72e5fbf37b6349292cd58c5e7acdd41ecdeac3d4d14bd4cee95254931b8cda7fb5d8f323948d3e6a2ddfd7b1a63b0232b0aadc7482faac1bd1

Download Submit
memory/616-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/616-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1960-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4056-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4056-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5012-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download