6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
Size

644KB
MD5

21081c422b42907b32628ec887d39450
SHA1

715560155610087b25dcb4707a5b52256dbe5b74
SHA256

6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7
SHA512

1d058539d71ae33fc32f7fa164457632e6ce24099dd42007824669308b810c1e39fd7201686f516071c9101a8e186f363bd42e83d54a6ea2b3fdb7ce2a95e3f2
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4652	qojikys.exe
2972	~DFA232.tmp
3092	suxubas.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA232.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe
3092	suxubas.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	~DFA232.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4652	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	81
PID 5080 wrote to memory of 4652	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	81
PID 5080 wrote to memory of 4652	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	81
PID 4652 wrote to memory of 2972	4652	qojikys.exe	82
PID 4652 wrote to memory of 2972	4652	qojikys.exe	82
PID 4652 wrote to memory of 2972	4652	qojikys.exe	82
PID 5080 wrote to memory of 3284	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	83
PID 5080 wrote to memory of 3284	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	83
PID 5080 wrote to memory of 3284	5080	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	83
PID 2972 wrote to memory of 3092	2972	~DFA232.tmp	92
PID 2972 wrote to memory of 3092	2972	~DFA232.tmp	92
PID 2972 wrote to memory of 3092	2972	~DFA232.tmp	92

C:\Users\Admin\AppData\Local\Temp\6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
"C:\Users\Admin\AppData\Local\Temp\6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\qojikys.exe
  C:\Users\Admin\AppData\Local\Temp\qojikys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\~DFA232.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA232.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\suxubas.exe
      "C:\Users\Admin\AppData\Local\Temp\suxubas.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
cbdad522025a2672dd581691b6b8ccce

SHA1
8f0e0e89d3de484d4ca791ba05f04b51c8332eb4

SHA256
7e1c6d7d51fd16a9bdfe9683a081f2adf8b903efc1d2ea7d2d2adf0352c91018

SHA512
19a564262f78e16214936d5cf63ebb99f9d4b17273ff8b2e568f7454b20ccb52b97da3f96bf7dc11bb57d430e876f7aaa1cf65c6ea5620cba513b884225543ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1bac3601046a986650814af0a3d77109

SHA1
938d836c5e29f772a2240abf388e2b2299e8fb65

SHA256
ed17b754a8342a0a09b31c3005240e9a7c6dc24ffbb2ba5c4288eba2801f9ff2

SHA512
2aaa73941f8a7d4337392824236db0cb37ba01fc4f65f9ffe450eaa240307036b3b778bacfc8da1294be53d77d4a98936340db45ddadec37ab53db8e39a3b1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qojikys.exe

Filesize
647KB

MD5
61a34722135e6e6e7581ff4978836a3f

SHA1
771cf46c3591fe5847cd123cebb808354bf4ebc3

SHA256
e4a6280d16a6bfda641c2ebca9885cd5fd4085908f12ab4ff92b1a2aaec862be

SHA512
2649f3909cd325fd52af2782817673776d5596ffa692fd074f1883438e9edfe5060a3dd87fdff090d39edb34882b4a7fec3faa7ae783e4ec1d250421f1e37e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\qojikys.exe

Filesize
647KB

MD5
61a34722135e6e6e7581ff4978836a3f

SHA1
771cf46c3591fe5847cd123cebb808354bf4ebc3

SHA256
e4a6280d16a6bfda641c2ebca9885cd5fd4085908f12ab4ff92b1a2aaec862be

SHA512
2649f3909cd325fd52af2782817673776d5596ffa692fd074f1883438e9edfe5060a3dd87fdff090d39edb34882b4a7fec3faa7ae783e4ec1d250421f1e37e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\suxubas.exe

Filesize
390KB

MD5
4e1b8827ce5e4f3435375eabe879b4cf

SHA1
0de22c6e52adf24cba6959267d19b4e1c008a516

SHA256
8a4312b147f9af6d237b5047dd2a6cc52c47ee70a811c3a1021aa7baec4cc115

SHA512
4e8c59879e2a41dab9fb056f4459428e3efe9242d3febdf08942b1a96aadf9fd654164dd923e4d45d7714cffc48a37289917ae08408a26e18ec275f2341d3edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\suxubas.exe

Filesize
390KB

MD5
4e1b8827ce5e4f3435375eabe879b4cf

SHA1
0de22c6e52adf24cba6959267d19b4e1c008a516

SHA256
8a4312b147f9af6d237b5047dd2a6cc52c47ee70a811c3a1021aa7baec4cc115

SHA512
4e8c59879e2a41dab9fb056f4459428e3efe9242d3febdf08942b1a96aadf9fd654164dd923e4d45d7714cffc48a37289917ae08408a26e18ec275f2341d3edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA232.tmp

Filesize
650KB

MD5
46b168760ce185f8f70641bf8a0a3073

SHA1
4f7377bec0985f359a18d159345994ce9e36d8bc

SHA256
65dcf680d91a5471e519aba7799156ba141c4fe6d3cd96a3dee00c8a280cd770

SHA512
0721aa27e50c89f6844a0270b8b41cbe5cf7115d7d685891facca86b40911472d4bd0ab5d9ef381acdfdefec156376dc1907128515fe79d6952d4700b5da84c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA232.tmp

Filesize
650KB

MD5
46b168760ce185f8f70641bf8a0a3073

SHA1
4f7377bec0985f359a18d159345994ce9e36d8bc

SHA256
65dcf680d91a5471e519aba7799156ba141c4fe6d3cd96a3dee00c8a280cd770

SHA512
0721aa27e50c89f6844a0270b8b41cbe5cf7115d7d685891facca86b40911472d4bd0ab5d9ef381acdfdefec156376dc1907128515fe79d6952d4700b5da84c9

Download Submit
memory/2972-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2972-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3092-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3092-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4652-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4652-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5080-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5080-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download