7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
Size

655KB
MD5

0521874c4275011303c6826cf0a82e00
SHA1

1a6d041bca93bbcd3b54c0cc8518da84f9d8d672
SHA256

7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05
SHA512

13eda3e2a0d260aa14460acfcf99228677d2d7228f190dc846f11a8a702a2f482a4615186718f67554c297e411cf2fd30ffc9cedb56ea1619035e9531ff298b1
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3596	myxokuc.exe
2140	~DFA224.tmp
4244	cuicabb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA224.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe
4244	cuicabb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	~DFA224.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3596	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	79
PID 1152 wrote to memory of 3596	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	79
PID 1152 wrote to memory of 3596	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	79
PID 3596 wrote to memory of 2140	3596	myxokuc.exe	80
PID 3596 wrote to memory of 2140	3596	myxokuc.exe	80
PID 3596 wrote to memory of 2140	3596	myxokuc.exe	80
PID 1152 wrote to memory of 972	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	81
PID 1152 wrote to memory of 972	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	81
PID 1152 wrote to memory of 972	1152	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	81
PID 2140 wrote to memory of 4244	2140	~DFA224.tmp	85
PID 2140 wrote to memory of 4244	2140	~DFA224.tmp	85
PID 2140 wrote to memory of 4244	2140	~DFA224.tmp	85

C:\Users\Admin\AppData\Local\Temp\7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
"C:\Users\Admin\AppData\Local\Temp\7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\myxokuc.exe
  C:\Users\Admin\AppData\Local\Temp\myxokuc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\cuicabb.exe
      "C:\Users\Admin\AppData\Local\Temp\cuicabb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
412fc2afcb6036d4a8c81ea8a004774c

SHA1
423cadb538df1e5c8b4d281a35cf139e27d07061

SHA256
21791c52f50ba4710f42f7119b288057c8fd290bfea0de6fc522fc1da48b8d94

SHA512
7552beec3351d34d2c31bb550a8e7afbca4543976bc6c75a024ba9bb20ea95bbbdee112ff00f92944af9f7e569833a537f44c127019bcbd2112ab8bed79ef479

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuicabb.exe

Filesize
376KB

MD5
dd6286cf3efed8079dddd06b5ddbc3c5

SHA1
0c6a7317bc568a2598fce9c4e2157a8b7dbeca15

SHA256
24327c4c6029c78de774133eaa1f2dd1e252b20ce7c2d0061a28480b16c55829

SHA512
23a131309c9232c0b5b2f261986d3598137cb2ce4d319e4ee324bb8e52059939d40bbf7d528c6f6534e91c1895120b4e8b1bc803c5e160348849ef025082ee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuicabb.exe

Filesize
376KB

MD5
dd6286cf3efed8079dddd06b5ddbc3c5

SHA1
0c6a7317bc568a2598fce9c4e2157a8b7dbeca15

SHA256
24327c4c6029c78de774133eaa1f2dd1e252b20ce7c2d0061a28480b16c55829

SHA512
23a131309c9232c0b5b2f261986d3598137cb2ce4d319e4ee324bb8e52059939d40bbf7d528c6f6534e91c1895120b4e8b1bc803c5e160348849ef025082ee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
47ac7d5033ff333a701426665938868e

SHA1
9956d5589521051706281d25daf0a3be6f0c3558

SHA256
934465d730638589bd40815588284677c6db443ef086d9e53a63ecb71db0b517

SHA512
681daea03c09c8f22d8c4f474361e9608d02a1cf77be7a996559811776e0584c4a7f2aef9dd0cf9950659d25c674a6f7fcbff5eda07c451f9dfe761e2ad35503

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxokuc.exe

Filesize
663KB

MD5
7dec8ecc3cdae0fe392a7786d4dc76c1

SHA1
1f352d8144fe54fdd9d96c0c05c22c69d4b88f00

SHA256
17922198a070b9778018f40033041cccc3d65fd24c5dfabc4db2a5008240c3bf

SHA512
766cc4e1043e4cef6bc4a3ed0190f2c4987fda02fc34bb10a475875ab493b4abb6fc2d4db54dbaec76fd3345859de20bf3f92d9c3fe49b5048e2a9e755aeac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxokuc.exe

Filesize
663KB

MD5
7dec8ecc3cdae0fe392a7786d4dc76c1

SHA1
1f352d8144fe54fdd9d96c0c05c22c69d4b88f00

SHA256
17922198a070b9778018f40033041cccc3d65fd24c5dfabc4db2a5008240c3bf

SHA512
766cc4e1043e4cef6bc4a3ed0190f2c4987fda02fc34bb10a475875ab493b4abb6fc2d4db54dbaec76fd3345859de20bf3f92d9c3fe49b5048e2a9e755aeac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp

Filesize
671KB

MD5
ca2e71733e0aadede8a8f70e3dcff2f6

SHA1
e8cee7aa7141d03319a39c5136abaf309142e5c2

SHA256
bee2f403504724791ecc19487cfa48a4c727629b954da50daeb238acbfd70fd7

SHA512
abdee2bc8fac6df1cf0a8a761baaa7e970e38204b89c865dbfee59e4dc688954dc02f0f5161dbea54570f9daa48cbb9e323a5472a0c24e8ff55dfb46f22152d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA224.tmp

Filesize
671KB

MD5
ca2e71733e0aadede8a8f70e3dcff2f6

SHA1
e8cee7aa7141d03319a39c5136abaf309142e5c2

SHA256
bee2f403504724791ecc19487cfa48a4c727629b954da50daeb238acbfd70fd7

SHA512
abdee2bc8fac6df1cf0a8a761baaa7e970e38204b89c865dbfee59e4dc688954dc02f0f5161dbea54570f9daa48cbb9e323a5472a0c24e8ff55dfb46f22152d1

Download Submit
memory/972-143-0x0000000000000000-mapping.dmp

Download
memory/1152-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1152-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2140-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2140-137-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3596-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3596-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3596-133-0x0000000000000000-mapping.dmp

Download
memory/4244-147-0x0000000000000000-mapping.dmp

Download
memory/4244-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download