6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe
Size

698KB
MD5

200216cdec9ee29da2cb13821dddaa90
SHA1

6a35f98bcef0432610d9668c6b9f1af030160353
SHA256

6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646
SHA512

6f50bcaec916c61484ba19fe145ca1ca097bb236f3f37ae575000f197d9af7036d9b7b5974af3eb230f86fe166ba1cd9256a0230545a1de3a187b52b3da0e00b
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4292	ivuzyjr.exe
4176	~DFA21E.tmp
4884	loquhyy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA21E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe
4884	loquhyy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	~DFA21E.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4292	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	80
PID 4248 wrote to memory of 4292	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	80
PID 4248 wrote to memory of 4292	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	80
PID 4292 wrote to memory of 4176	4292	ivuzyjr.exe	81
PID 4292 wrote to memory of 4176	4292	ivuzyjr.exe	81
PID 4292 wrote to memory of 4176	4292	ivuzyjr.exe	81
PID 4248 wrote to memory of 1600	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	82
PID 4248 wrote to memory of 1600	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	82
PID 4248 wrote to memory of 1600	4248	6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe	82
PID 4176 wrote to memory of 4884	4176	~DFA21E.tmp	85
PID 4176 wrote to memory of 4884	4176	~DFA21E.tmp	85
PID 4176 wrote to memory of 4884	4176	~DFA21E.tmp	85

C:\Users\Admin\AppData\Local\Temp\6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe
"C:\Users\Admin\AppData\Local\Temp\6ba601ded0b0731e7f020405b94b7e873456a3d8e1e4d7b98d0ed1d50daf8646.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\ivuzyjr.exe
  C:\Users\Admin\AppData\Local\Temp\ivuzyjr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\~DFA21E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA21E.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\loquhyy.exe
      "C:\Users\Admin\AppData\Local\Temp\loquhyy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
41ddb882d48a72395b3515139dd01c52

SHA1
48efeeb0a8f01bc86d2957adea2eb1ae788bdda3

SHA256
1acf4bf64979e39f4a7e276840a4eaf15468f79e8624be78bcf35da2c3431063

SHA512
d338dc56e818d8619dd9dc5054264818ffe98d7f6a0586c7df8ebc3ec378c8598f5ff37f2f08f87c7c8429c2d7ae7bf1f323fab81885ff6051017fe9b25f5a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
11d9615329a1cdfa1ab7a650b825f435

SHA1
0f91ee49981e124cab8afe86bd87ab295542e5f2

SHA256
dce0607016a3203f0de90912663edf64312cd3f9d5951cf864d92128f0aa51fb

SHA512
2b223d824fa57eb1d880d4564e57f23258987af33b27759cd54b49a70834528f80f96b3caf7156df3d0b76131cc24ecfa6a47581dd1687f2ce391e1508e7e23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivuzyjr.exe

Filesize
700KB

MD5
9c565ea3994c5dbd49a45efd4105d0b5

SHA1
29a392d9bbf4fb4bc32d47ab5fcf3810fbcf7b1d

SHA256
c72803fcba9121a669d487589a9c1ced6cb9e5cf5f36c27e5e5b5a2677a90209

SHA512
bf8824fdbc35c6333505d0538382f8dc85919c349f8297acdf8ae7797c9e1f8ca0837a62a529e420a6ec1c2968630fd82893d666f53b11f66c7d623c1ced36d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivuzyjr.exe

Filesize
700KB

MD5
9c565ea3994c5dbd49a45efd4105d0b5

SHA1
29a392d9bbf4fb4bc32d47ab5fcf3810fbcf7b1d

SHA256
c72803fcba9121a669d487589a9c1ced6cb9e5cf5f36c27e5e5b5a2677a90209

SHA512
bf8824fdbc35c6333505d0538382f8dc85919c349f8297acdf8ae7797c9e1f8ca0837a62a529e420a6ec1c2968630fd82893d666f53b11f66c7d623c1ced36d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\loquhyy.exe

Filesize
378KB

MD5
1e712874ec51cda40251f47e526fbcf4

SHA1
0dc6298c003509733874367ccc8e8167455b0627

SHA256
956e2560e93f5c363ba505c1dcdfbe3a1174efad808e45e6850cff7b4ef1ca9b

SHA512
3e8c31074633d226f0e8a227deefb7a8506bbc14dff2315e77a00619f39acf7569e5fbb628360345b4e45658ce744da901c17610b013124ebdf4c4d422fd860c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loquhyy.exe

Filesize
378KB

MD5
1e712874ec51cda40251f47e526fbcf4

SHA1
0dc6298c003509733874367ccc8e8167455b0627

SHA256
956e2560e93f5c363ba505c1dcdfbe3a1174efad808e45e6850cff7b4ef1ca9b

SHA512
3e8c31074633d226f0e8a227deefb7a8506bbc14dff2315e77a00619f39acf7569e5fbb628360345b4e45658ce744da901c17610b013124ebdf4c4d422fd860c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA21E.tmp

Filesize
703KB

MD5
378c38242a62f148c12443d622e420d1

SHA1
692e5c1a12bde1dcef1711649da6a7743d1d5bff

SHA256
1ec49cc216cab96fd9b9d489c9783eea3f8581d9838d97a4a969b69f1bc4d15e

SHA512
2ecd8181960d15454bbab300bce3ddd24b4182bcb794473a0e0a9bc03b1c59fa93bf93d801815f133d045094de5c8f8b50a71c72d10a06aac4040e472310134c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA21E.tmp

Filesize
703KB

MD5
378c38242a62f148c12443d622e420d1

SHA1
692e5c1a12bde1dcef1711649da6a7743d1d5bff

SHA256
1ec49cc216cab96fd9b9d489c9783eea3f8581d9838d97a4a969b69f1bc4d15e

SHA512
2ecd8181960d15454bbab300bce3ddd24b4182bcb794473a0e0a9bc03b1c59fa93bf93d801815f133d045094de5c8f8b50a71c72d10a06aac4040e472310134c

Download Submit
memory/1600-142-0x0000000000000000-mapping.dmp

Download
memory/4176-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4176-137-0x0000000000000000-mapping.dmp

Download
memory/4248-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4248-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4292-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4292-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4292-133-0x0000000000000000-mapping.dmp

Download
memory/4884-146-0x0000000000000000-mapping.dmp

Download
memory/4884-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download