87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe
Size

729KB
MD5

03cd5c80aae30cee608db1ff6c3094e0
SHA1

84c0a210639ebc5ae015f52a190a50e2ce03ee64
SHA256

87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3
SHA512

85b63d353a8450221caea3c8d0ddc172dee58622bd33c8528977d0bb1a249166dd98dd2c22fd3d79434a2dcdd0d8cbc201c7b3ef4f9791562b6a82f4162d521e
SSDEEP

12288:PBjUUmQfHYbDG+IDHjPWFrS20/ncnaGBP5uJePWBQeBJiSycBcagEy2Vyv:PBvmcYb7IjjPWFe5IVp5Q+qlhBcagD2A

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000721-143.dat	aspack_v212_v242
behavioral2/files/0x0003000000000721-144.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4112	qotyt.exe
2880	huajg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	qotyt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe
2880	huajg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4112	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	81
PID 2688 wrote to memory of 4112	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	81
PID 2688 wrote to memory of 4112	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	81
PID 2688 wrote to memory of 5020	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	82
PID 2688 wrote to memory of 5020	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	82
PID 2688 wrote to memory of 5020	2688	87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe	82
PID 4112 wrote to memory of 2880	4112	qotyt.exe	91
PID 4112 wrote to memory of 2880	4112	qotyt.exe	91
PID 4112 wrote to memory of 2880	4112	qotyt.exe	91

C:\Users\Admin\AppData\Local\Temp\87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe
"C:\Users\Admin\AppData\Local\Temp\87061ded85afdad10696adce31b6e56237c9e499a3b86c0992efbdbecd5ad3d3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\qotyt.exe
  "C:\Users\Admin\AppData\Local\Temp\qotyt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\huajg.exe
    "C:\Users\Admin\AppData\Local\Temp\huajg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
dc93890ca9373cc24b7ee291734b60a4

SHA1
d9729c7ab96fadc11e4afb7d3ea46823396153fd

SHA256
b6e7c1baa34a3265a1da02a7405fcfa902b2bb7dae4b29776067c8e5ad9d1c9c

SHA512
2e607e758ac7fe2eda073b03fabf4de5434ba85d1c9d8a73dbf39e6d5c94ef3d3ee36b61d8f4c9cad95f4c7fa57a531875934c62075ba7b815fc04f9632e8b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
36052d8bbe6e40df6c209a56b70aef4c

SHA1
c06e475b9b2be5d9cc0b3cdd606d068417e72b23

SHA256
dfba21f50ad10f27586ab4f5890454c1218204d0b2301908da46922f2d4ba132

SHA512
06670e20ffb7250b59355ed54ec6cd3d07084444d5c9aadb8aac369eec145c8362b88cea7827249cbf4cdbfd931a9046765ddfdca07f7a1786146ffc0b9886ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\huajg.exe

Filesize
247KB

MD5
bf0165798e27e82f240edf778a210e3a

SHA1
8b7e33596c4bc1e00fc72fdf004e89e91871a6c4

SHA256
e5e75ba7e56bf8a07a34d4f45f8da8773ca724a685c98d8f6b83817549e5adfe

SHA512
bdea9cb850d6c40d86ff3c16a947ce670986d81c02e29db5d46247485475fe51bd9c68d72a7bc77244e9fd89c8eb1d7411be6b788dae8aab7160fde9097083a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\huajg.exe

Filesize
247KB

MD5
bf0165798e27e82f240edf778a210e3a

SHA1
8b7e33596c4bc1e00fc72fdf004e89e91871a6c4

SHA256
e5e75ba7e56bf8a07a34d4f45f8da8773ca724a685c98d8f6b83817549e5adfe

SHA512
bdea9cb850d6c40d86ff3c16a947ce670986d81c02e29db5d46247485475fe51bd9c68d72a7bc77244e9fd89c8eb1d7411be6b788dae8aab7160fde9097083a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qotyt.exe

Filesize
729KB

MD5
86376e82c61b93dde2633a0bd8537347

SHA1
6b8d033eeb92c62bca9363a152b281f101581219

SHA256
6966336056fa7029e54fb1afedd93bac972804127eae9d479f72693de608d73e

SHA512
51c582732a60e62f54c865f892a9fa3a5b5c7452f17d6db3e1b8cecc310f6f797c19223ecf973b88a35a6b269f1d15831b8dcea02b3d4796d765fb3615d301e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qotyt.exe

Filesize
729KB

MD5
86376e82c61b93dde2633a0bd8537347

SHA1
6b8d033eeb92c62bca9363a152b281f101581219

SHA256
6966336056fa7029e54fb1afedd93bac972804127eae9d479f72693de608d73e

SHA512
51c582732a60e62f54c865f892a9fa3a5b5c7452f17d6db3e1b8cecc310f6f797c19223ecf973b88a35a6b269f1d15831b8dcea02b3d4796d765fb3615d301e8

Download Submit
memory/2688-137-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2688-132-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2880-146-0x0000000000E70000-0x0000000000F21000-memory.dmp

Filesize
708KB

Download
memory/2880-150-0x0000000000E70000-0x0000000000F21000-memory.dmp

Filesize
708KB

Download
memory/2880-147-0x0000000000E70000-0x0000000000F21000-memory.dmp

Filesize
708KB

Download
memory/2880-149-0x0000000000E70000-0x0000000000F21000-memory.dmp

Filesize
708KB

Download
memory/2880-148-0x0000000000E70000-0x0000000000F21000-memory.dmp

Filesize
708KB

Download
memory/4112-138-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4112-145-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4112-141-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download