d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
Size

640KB
MD5

47946e214bd828a73ddb6afc5c9e9940
SHA1

c8a5a877d2de530a683d87ace820b55c3f7f0042
SHA256

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2
SHA512

7f1f22238fda010f963a3ad371c125d2d5f72b8224a85dfe295ad1a61ab73696185e4bea9b5b8d04162eaa8e9f8a060780dc0cdeeac761f9b534d267f05b9c88
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

hohufa.exe~DFA236.tmpkipyjk.exe

pid process

4196 hohufa.exe
3588 ~DFA236.tmp
4684 kipyjk.exe

pid	process
4196	hohufa.exe
3588	~DFA236.tmp
4684	kipyjk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe~DFA236.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	~DFA236.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

kipyjk.exe

pid	process
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe
4684	kipyjk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA236.tmp

description pid process

Token: SeDebugPrivilege 3588 ~DFA236.tmp

description	pid	process
Token: SeDebugPrivilege	3588	~DFA236.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exehohufa.exe~DFA236.tmp

description	pid	process	target process
PID 5036 wrote to memory of 4196	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	hohufa.exe
PID 5036 wrote to memory of 4196	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	hohufa.exe
PID 5036 wrote to memory of 4196	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	hohufa.exe
PID 4196 wrote to memory of 3588	4196	hohufa.exe	~DFA236.tmp
PID 4196 wrote to memory of 3588	4196	hohufa.exe	~DFA236.tmp
PID 4196 wrote to memory of 3588	4196	hohufa.exe	~DFA236.tmp
PID 5036 wrote to memory of 4356	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 5036 wrote to memory of 4356	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 5036 wrote to memory of 4356	5036	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 3588 wrote to memory of 4684	3588	~DFA236.tmp	kipyjk.exe
PID 3588 wrote to memory of 4684	3588	~DFA236.tmp	kipyjk.exe
PID 3588 wrote to memory of 4684	3588	~DFA236.tmp	kipyjk.exe

C:\Users\Admin\AppData\Local\Temp\d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
"C:\Users\Admin\AppData\Local\Temp\d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\hohufa.exe
C:\Users\Admin\AppData\Local\Temp\hohufa.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\kipyjk.exe
"C:\Users\Admin\AppData\Local\Temp\kipyjk.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
0ceb8ea893f511509ad9cd0d5133d0d3

SHA1
ad682cfa42b8b670a863cb51536da0c525cb1070

SHA256
3cb324c4ec7cb0da2743d8ea61f87646f5e9bd2f1bc023d1306472df1eb3aad6

SHA512
5acf349ef193457464bef1123a62c25d650a9ab5b42f1952401bec179c0cbb037f393c70f16575ebd82a01687c481fdb7f916aac62069c12952d47a8209c2537

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
2b526cdca22768eead9dffb9ae60a61d

SHA1
0b3fe0c0b9c6d40dbe698f9a3efa79d0967b7ab8

SHA256
92d8ed416005eb17591533dbfb6defa75b5fa30db119ffd680a7387d0bd8fb7d

SHA512
c1d6c3b7547b7ce96c1b27496369859b7787bebfcf5539ff82d8827e8c10314fafe1b9c3b82b9f2f44d834ff0c074778d4ca5ae9708df9ad7977c4276815f62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hohufa.exe
Filesize
646KB

MD5
0dfaf2f441d90c732349be4734b09998

SHA1
5e14ff090fbda6321189549ffb2acfc1fc442783

SHA256
5325593f3b0d2a6938364f6a5d4a90caa444b760754c1d8e70e44e1e1dad0972

SHA512
b2253e33dcca63c06ef68640a095d75b32cbf1948a16e13c4c2388ab64dba530b17810ba1424965f0a95da5028964b6f4a0acf510bd7a45d15b57e82ffec5988

Download Submit
C:\Users\Admin\AppData\Local\Temp\hohufa.exe
Filesize
646KB

MD5
0dfaf2f441d90c732349be4734b09998

SHA1
5e14ff090fbda6321189549ffb2acfc1fc442783

SHA256
5325593f3b0d2a6938364f6a5d4a90caa444b760754c1d8e70e44e1e1dad0972

SHA512
b2253e33dcca63c06ef68640a095d75b32cbf1948a16e13c4c2388ab64dba530b17810ba1424965f0a95da5028964b6f4a0acf510bd7a45d15b57e82ffec5988

Download Submit
C:\Users\Admin\AppData\Local\Temp\kipyjk.exe
Filesize
404KB

MD5
f3dd81ada279ae6309585e1b117a67f7

SHA1
cb1a5cc7357b6527c1779556e053a921a82deed1

SHA256
aaa99c02d81c7e5a3e07206b8f0af52ee4a15d78a8f3797f77050c1931c5a1f3

SHA512
53561f4457783483ec21137571ce356def0eea2906da509627a52592326e04b33279973b7dc2d49cd6281a3b8272ae7aa177f8fe585acb7247e687ef86fd7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kipyjk.exe
Filesize
404KB

MD5
f3dd81ada279ae6309585e1b117a67f7

SHA1
cb1a5cc7357b6527c1779556e053a921a82deed1

SHA256
aaa99c02d81c7e5a3e07206b8f0af52ee4a15d78a8f3797f77050c1931c5a1f3

SHA512
53561f4457783483ec21137571ce356def0eea2906da509627a52592326e04b33279973b7dc2d49cd6281a3b8272ae7aa177f8fe585acb7247e687ef86fd7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
Filesize
652KB

MD5
19f0f5420bbed1073eeaa72a64bf8765

SHA1
12f452a79b74c681e7fbf013800239d6de771ffa

SHA256
f7d23902dd6c54f196f532819adf51dbf55aecc0e8a62feca63258e8aea68216

SHA512
830e65f1b756bade5f05ee4df56bd1e128ce35e78a6bbdf4dded6d442e6dbaf829644bec50e28dff8822b33fa63eef2e5724922403b41dbfada9687530b85508

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmp
Filesize
652KB

MD5
19f0f5420bbed1073eeaa72a64bf8765

SHA1
12f452a79b74c681e7fbf013800239d6de771ffa

SHA256
f7d23902dd6c54f196f532819adf51dbf55aecc0e8a62feca63258e8aea68216

SHA512
830e65f1b756bade5f05ee4df56bd1e128ce35e78a6bbdf4dded6d442e6dbaf829644bec50e28dff8822b33fa63eef2e5724922403b41dbfada9687530b85508

Download Submit
memory/3588-137-0x0000000000000000-mapping.dmp

Download
memory/3588-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3588-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4196-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4196-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4196-133-0x0000000000000000-mapping.dmp

Download
memory/4356-143-0x0000000000000000-mapping.dmp

Download
memory/4684-147-0x0000000000000000-mapping.dmp

Download
memory/4684-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4684-152-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/5036-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5036-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download