f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5

Analysis

max time kernel
163s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
Size

678KB
MD5

57cc347ccb692e8ee2a8a646a1e357f0
SHA1

64d06fcc42b66cb0395d3acd2defb2ffe630a069
SHA256

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5
SHA512

796aac260edbd09d651213c961cbd34a4ae661ed4f7f46db6913b19b87861806083c8e4e594d8bedf9c7bf2497fb2852afbc74e21588f8ed13d4be311e2635ef
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

atvivyz.exe~DFA235.tmplotueoy.exe

pid process

1732 atvivyz.exe
4552 ~DFA235.tmp
4592 lotueoy.exe

pid	process
1732	atvivyz.exe
4552	~DFA235.tmp
4592	lotueoy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe~DFA235.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	~DFA235.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

lotueoy.exe

pid	process
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe
4592	lotueoy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA235.tmp

description pid process

Token: SeDebugPrivilege 4552 ~DFA235.tmp

description	pid	process
Token: SeDebugPrivilege	4552	~DFA235.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exeatvivyz.exe~DFA235.tmp

description	pid	process	target process
PID 2408 wrote to memory of 1732	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	atvivyz.exe
PID 2408 wrote to memory of 1732	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	atvivyz.exe
PID 2408 wrote to memory of 1732	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	atvivyz.exe
PID 1732 wrote to memory of 4552	1732	atvivyz.exe	~DFA235.tmp
PID 1732 wrote to memory of 4552	1732	atvivyz.exe	~DFA235.tmp
PID 1732 wrote to memory of 4552	1732	atvivyz.exe	~DFA235.tmp
PID 2408 wrote to memory of 4072	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 2408 wrote to memory of 4072	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 2408 wrote to memory of 4072	2408	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 4552 wrote to memory of 4592	4552	~DFA235.tmp	lotueoy.exe
PID 4552 wrote to memory of 4592	4552	~DFA235.tmp	lotueoy.exe
PID 4552 wrote to memory of 4592	4552	~DFA235.tmp	lotueoy.exe

C:\Users\Admin\AppData\Local\Temp\f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
"C:\Users\Admin\AppData\Local\Temp\f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\atvivyz.exe
C:\Users\Admin\AppData\Local\Temp\atvivyz.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\~DFA235.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA235.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\lotueoy.exe
"C:\Users\Admin\AppData\Local\Temp\lotueoy.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
b2f9f55f99dc7aa2bdd62d8f0afa85f4

SHA1
69f322bc72f6fa6f9127578c6407143f583b9a40

SHA256
af91ee3bd6552d8c48698906c7e68b0339e938f70f645621aed4546d0d26a8b4

SHA512
0dfe2b2392977c726a84da0165e6a48f77c6555c49af0e26c99b9ccce397355f4367f5ec69ffbd63e769fb5b1854463df2264a4e914f1f5a41bffc59f6387c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\atvivyz.exe

Filesize
683KB

MD5
4a6729024be3e7fc44d29ab44ad7ed6f

SHA1
9d0ef2afd11bd2a1b2286ae26e7e0adcd6df8ec7

SHA256
398ffdef29f1759bd28248b60975ea819b7dc4df6a155d0348c7ab96c70a5b0d

SHA512
2e55097fd3abb9daf875eaf72b46c1cdce2c6c996ef89b87d4c16419b8357743e82bcdd642e3f68195ae25d66599b4193667622c09e299aa41dc08ba6eac7f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\atvivyz.exe

Filesize
683KB

MD5
4a6729024be3e7fc44d29ab44ad7ed6f

SHA1
9d0ef2afd11bd2a1b2286ae26e7e0adcd6df8ec7

SHA256
398ffdef29f1759bd28248b60975ea819b7dc4df6a155d0348c7ab96c70a5b0d

SHA512
2e55097fd3abb9daf875eaf72b46c1cdce2c6c996ef89b87d4c16419b8357743e82bcdd642e3f68195ae25d66599b4193667622c09e299aa41dc08ba6eac7f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
968e789fc2cc800bedfd7ef958392050

SHA1
fe608041027d72a0cb3d20b845148f2b29817a27

SHA256
1f7ec1112ebe178b7ddbf256debd499c0239dee2535a4d0141d9918bad87f13b

SHA512
562dc566e1d5b04825ca3bcb04881a144fe577b437a4ea03bbca6436e49d5da42896193f693a7a19e27108bce270daa3d05758d0114808dd592ec1a76797d1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\lotueoy.exe

Filesize
383KB

MD5
1c84df622eba1ff96abd30afea0d2619

SHA1
9cce0497b03dbe289d9a2581ec2ba61aef8c2c55

SHA256
678ab3d221da3393eb0591b79688ab58f5ab04b523ffcaa15c95012398eb45bc

SHA512
ae3aa4a3f8df70dd1320a7da6524e6bc067112cc2b2e744afd6afe072f8b2baa336759a37450099171599c017db0698afc411b7b5687e0703ed505be84dd014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lotueoy.exe

Filesize
383KB

MD5
1c84df622eba1ff96abd30afea0d2619

SHA1
9cce0497b03dbe289d9a2581ec2ba61aef8c2c55

SHA256
678ab3d221da3393eb0591b79688ab58f5ab04b523ffcaa15c95012398eb45bc

SHA512
ae3aa4a3f8df70dd1320a7da6524e6bc067112cc2b2e744afd6afe072f8b2baa336759a37450099171599c017db0698afc411b7b5687e0703ed505be84dd014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA235.tmp

Filesize
689KB

MD5
807a8d38589fd573246c7eb7918eb43b

SHA1
cf051756128669b673833445bf782f8748e45488

SHA256
3e88613954e97ef8663df5aa0b0fad123511415c84f6a9b7468b38a695255b2d

SHA512
2ec5b063b7b1b81c4bbf42395bc1134487f25c63a47a974179909e2c75a44b05c5b26cc542ac9d36285d388543b48974f120d5671e6c05fa321c8f971686efe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA235.tmp

Filesize
689KB

MD5
807a8d38589fd573246c7eb7918eb43b

SHA1
cf051756128669b673833445bf782f8748e45488

SHA256
3e88613954e97ef8663df5aa0b0fad123511415c84f6a9b7468b38a695255b2d

SHA512
2ec5b063b7b1b81c4bbf42395bc1134487f25c63a47a974179909e2c75a44b05c5b26cc542ac9d36285d388543b48974f120d5671e6c05fa321c8f971686efe0

Download Submit
memory/1732-133-0x0000000000000000-mapping.dmp

Download
memory/1732-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2408-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2408-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4072-140-0x0000000000000000-mapping.dmp

Download
memory/4552-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4552-137-0x0000000000000000-mapping.dmp

Download
memory/4592-145-0x0000000000000000-mapping.dmp

Download
memory/4592-148-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4592-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download