9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
Size

599KB
MD5

4f4b7526252b7b78dc29e3bcf0f48c50
SHA1

b6c68f1a1671401e0e3fcb3198f408feee12f961
SHA256

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17
SHA512

91c4c137cc606ea1b907f56bca6dfb4f49ca0743da58fa73f2814d21ffb51de20c475eb90cbe523fe3bb2ebed9947dd113118ec8b43c1207a9cbee716728a4fa
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ruviuki.exe~DFA253.tmpevjeimf.exe

pid process

3880 ruviuki.exe
3900 ~DFA253.tmp
3336 evjeimf.exe

pid	process
3880	ruviuki.exe
3900	~DFA253.tmp
3336	evjeimf.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe~DFA253.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA253.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

evjeimf.exe

pid	process
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe
3336	evjeimf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA253.tmp

description pid process

Token: SeDebugPrivilege 3900 ~DFA253.tmp

description	pid	process
Token: SeDebugPrivilege	3900	~DFA253.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exeruviuki.exe~DFA253.tmp

description	pid	process	target process
PID 2112 wrote to memory of 3880	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	ruviuki.exe
PID 2112 wrote to memory of 3880	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	ruviuki.exe
PID 2112 wrote to memory of 3880	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	ruviuki.exe
PID 3880 wrote to memory of 3900	3880	ruviuki.exe	~DFA253.tmp
PID 3880 wrote to memory of 3900	3880	ruviuki.exe	~DFA253.tmp
PID 3880 wrote to memory of 3900	3880	ruviuki.exe	~DFA253.tmp
PID 2112 wrote to memory of 860	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 2112 wrote to memory of 860	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 2112 wrote to memory of 860	2112	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 3900 wrote to memory of 3336	3900	~DFA253.tmp	evjeimf.exe
PID 3900 wrote to memory of 3336	3900	~DFA253.tmp	evjeimf.exe
PID 3900 wrote to memory of 3336	3900	~DFA253.tmp	evjeimf.exe

C:\Users\Admin\AppData\Local\Temp\9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
"C:\Users\Admin\AppData\Local\Temp\9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\ruviuki.exe
C:\Users\Admin\AppData\Local\Temp\ruviuki.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\~DFA253.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA253.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\evjeimf.exe
"C:\Users\Admin\AppData\Local\Temp\evjeimf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
f075600f4d8a6af038d8151ae73bcd19

SHA1
ae2ce03ed38ae53e1f83d4fefea5a946224993e1

SHA256
caa77250f79375aa9114d013c6f207decdb33f666f20d1c86be770c093a8a1ea

SHA512
f48eecec864e903f4d31bb5d75cb5f89baf235d0fc73727be40ec801e402d250cacde4c28239fb6852eebc071a409c26a5e16527b09ae5be6463cdc732fdb8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\evjeimf.exe
Filesize
386KB

MD5
f2d93927672a4190e7b4a5ef3536baa8

SHA1
58245dbbfdddd095a73fdb4aa19b8acb344b8b42

SHA256
fbc896e1468423d7bbba9a8cd4d49404f103de2e521592e13bef0fdf8d1ed8ee

SHA512
72d2a95320db87f0a89f3d6cdf2ab8b139fd8213f5f7f5826621cc9d259814cb5d7c0b71c27c33534aba3dbd3f6d5e4b5992598dad1cf5c25cf64d291c124f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\evjeimf.exe
Filesize
386KB

MD5
f2d93927672a4190e7b4a5ef3536baa8

SHA1
58245dbbfdddd095a73fdb4aa19b8acb344b8b42

SHA256
fbc896e1468423d7bbba9a8cd4d49404f103de2e521592e13bef0fdf8d1ed8ee

SHA512
72d2a95320db87f0a89f3d6cdf2ab8b139fd8213f5f7f5826621cc9d259814cb5d7c0b71c27c33534aba3dbd3f6d5e4b5992598dad1cf5c25cf64d291c124f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
3503f487be74711dabf23915de342ca1

SHA1
557e6319eb24531fdf4166aad037f5ee5bd956d8

SHA256
1b9311b524dc4b84735bd60f559d1a531de81328c0a030725a77bf56cb5b46a3

SHA512
638cf8b0e78c23b6f5875166ecd52ab36f9e4bb5738eaba6f7a14bbd142232738a4c572d285e140bc28022bf56d6e1e2c90ff25eb85eac0833c9a5594bcce578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruviuki.exe
Filesize
603KB

MD5
b704cc808b8c844577232488e8fc23ef

SHA1
06babbcf5340f52ff8d1dffa172f3fa5a3bff975

SHA256
81052235c6dbadd63e6f68f48d53010aff72876b54b0c1d4708e8fa2c7ab5ea0

SHA512
b7d34e563c15006314fa6c2a8a538dec28b95e77536a63059259641734fa7855d2e25bb2efe3cc962072e0910daccb7cd58da42706793881b0d873a1e7353cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruviuki.exe
Filesize
603KB

MD5
b704cc808b8c844577232488e8fc23ef

SHA1
06babbcf5340f52ff8d1dffa172f3fa5a3bff975

SHA256
81052235c6dbadd63e6f68f48d53010aff72876b54b0c1d4708e8fa2c7ab5ea0

SHA512
b7d34e563c15006314fa6c2a8a538dec28b95e77536a63059259641734fa7855d2e25bb2efe3cc962072e0910daccb7cd58da42706793881b0d873a1e7353cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA253.tmp
Filesize
609KB

MD5
35f9bb5daacb6657a5baa7008d6ac783

SHA1
33790d8d7dd61cca34759d025df3701b06fac569

SHA256
90116bebb67166543f8f286ba3bbd684b9fa8f5037c0b8891891faf0199ed66c

SHA512
1310332ca009e7445edc99ce32a791e042eda16fe5967881ba27d7b2645571fdcdaae0711524d088a6dd6a139d5650e935a486c0ab9725fd67d67bc73502cae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA253.tmp
Filesize
609KB

MD5
35f9bb5daacb6657a5baa7008d6ac783

SHA1
33790d8d7dd61cca34759d025df3701b06fac569

SHA256
90116bebb67166543f8f286ba3bbd684b9fa8f5037c0b8891891faf0199ed66c

SHA512
1310332ca009e7445edc99ce32a791e042eda16fe5967881ba27d7b2645571fdcdaae0711524d088a6dd6a139d5650e935a486c0ab9725fd67d67bc73502cae9

Download Submit
memory/860-142-0x0000000000000000-mapping.dmp

Download
memory/2112-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2112-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2112-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3336-148-0x0000000000000000-mapping.dmp

Download
memory/3336-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3880-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3880-145-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3880-133-0x0000000000000000-mapping.dmp

Download
memory/3900-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3900-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3900-139-0x0000000000000000-mapping.dmp

Download