727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40

Analysis

max time kernel
174s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
Size

686KB
MD5

535138c6ab8c3fa53a1b8ffe62a23930
SHA1

92692d33f4cbb39f6bebb4f6c9f592ca3059d772
SHA256

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40
SHA512

0d118a404f06ba2f065ea03f36802774f14331fc9bf0a8b8fbd17b1b343fe4374721cfe43e562aa4867345704ec4fda85517e098bacaf605378718e73fa7d467
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

lopuvuo.exe~DFA242.tmpbuzyzuq.exe

pid process

456 lopuvuo.exe
2184 ~DFA242.tmp
3612 buzyzuq.exe

pid	process
456	lopuvuo.exe
2184	~DFA242.tmp
3612	buzyzuq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe~DFA242.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA242.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

buzyzuq.exe

pid	process
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe
3612	buzyzuq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA242.tmp

description pid process

Token: SeDebugPrivilege 2184 ~DFA242.tmp

description	pid	process
Token: SeDebugPrivilege	2184	~DFA242.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exelopuvuo.exe~DFA242.tmp

description	pid	process	target process
PID 4204 wrote to memory of 456	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	lopuvuo.exe
PID 4204 wrote to memory of 456	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	lopuvuo.exe
PID 4204 wrote to memory of 456	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	lopuvuo.exe
PID 456 wrote to memory of 2184	456	lopuvuo.exe	~DFA242.tmp
PID 456 wrote to memory of 2184	456	lopuvuo.exe	~DFA242.tmp
PID 456 wrote to memory of 2184	456	lopuvuo.exe	~DFA242.tmp
PID 4204 wrote to memory of 5024	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 4204 wrote to memory of 5024	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 4204 wrote to memory of 5024	4204	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 2184 wrote to memory of 3612	2184	~DFA242.tmp	buzyzuq.exe
PID 2184 wrote to memory of 3612	2184	~DFA242.tmp	buzyzuq.exe
PID 2184 wrote to memory of 3612	2184	~DFA242.tmp	buzyzuq.exe

C:\Users\Admin\AppData\Local\Temp\727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
"C:\Users\Admin\AppData\Local\Temp\727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\lopuvuo.exe
C:\Users\Admin\AppData\Local\Temp\lopuvuo.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\buzyzuq.exe
"C:\Users\Admin\AppData\Local\Temp\buzyzuq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
37a516c7deef1ce9b4089b5b519b0846

SHA1
162a596f7226d1bd822eda844fc693a15d798fe6

SHA256
7ee18c6b7119fb0f08e62ab03a11c44989a970854a100c057061e03b43670aa3

SHA512
4bda090a1c65d1f0c0bbf4038b804bbe3d55744a6b25cbbac38050e03942973732117a5beffccad0d5fb5ed9dd7c094ec3c9c4d3ffc6841f19590df102a97c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\buzyzuq.exe
Filesize
399KB

MD5
0dd5109a20b3dc72279d687b789782ae

SHA1
959727cc81cb5d8c0546d63b2070a2087eea63e8

SHA256
621fddd019172b9ad0f0d694ec5bd2a59c46d767444545e8ee778534c1cda378

SHA512
fdc3f934dd53c49935f08b867c29736f276df5d612e2f379cbde2428f49315633b89e9b0428d60dcfb79e9705b2a6c2e5ad1f057b4c066f0447cd65604c44a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\buzyzuq.exe
Filesize
399KB

MD5
0dd5109a20b3dc72279d687b789782ae

SHA1
959727cc81cb5d8c0546d63b2070a2087eea63e8

SHA256
621fddd019172b9ad0f0d694ec5bd2a59c46d767444545e8ee778534c1cda378

SHA512
fdc3f934dd53c49935f08b867c29736f276df5d612e2f379cbde2428f49315633b89e9b0428d60dcfb79e9705b2a6c2e5ad1f057b4c066f0447cd65604c44a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
3021adec6e06fcde483d904b7963583c

SHA1
8d794eb6fed8061f35eef2ce7ff701c52bbdb6c1

SHA256
ad8886331f6499fd9fe635512d2e93eeea3e3aaa1333cd41200c1f390c6a9b89

SHA512
91ba3c9196c7228294b48e11f916ddae2c7a431f480e949eb771f8de12600b807cdc867dc2555f74eb45835693d927e58d728c9822cf596d221323fec87baf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\lopuvuo.exe
Filesize
694KB

MD5
176d5ce8ce638bf91de5039df505adbd

SHA1
7200c7636703df9ba6da665ae2de679c9ca85568

SHA256
99a12f8839e8a65046b086ff82e23188a19ad1c5897572097a3aeb02f61ecdf9

SHA512
b552c88292fac8d60a390bfe853d7d4e228b838852a47975b51045adedc89bd0a81e3e0fc2cbfaeb2e6f91610571910ae551b502614198819a52e9769cd40011

Download Submit
C:\Users\Admin\AppData\Local\Temp\lopuvuo.exe
Filesize
694KB

MD5
176d5ce8ce638bf91de5039df505adbd

SHA1
7200c7636703df9ba6da665ae2de679c9ca85568

SHA256
99a12f8839e8a65046b086ff82e23188a19ad1c5897572097a3aeb02f61ecdf9

SHA512
b552c88292fac8d60a390bfe853d7d4e228b838852a47975b51045adedc89bd0a81e3e0fc2cbfaeb2e6f91610571910ae551b502614198819a52e9769cd40011

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp
Filesize
702KB

MD5
c32fd3aab4d0106699c8052525070c96

SHA1
84f614f3437d4c13886f88fbf6db0cf2a03fcac2

SHA256
ee0b1b458900f4f178da02c9be373f1c8137a54b890979a4280c65fe96c75ba7

SHA512
8f29cf1f397a8d50051034f7ddd5a1ae51e1f6733ffa18e32bf13a94a1eab74844afa3f4f4b0633efa1c9fc671ef03307ce2bac29fcbd8d2aa2c150ad0a66247

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA242.tmp
Filesize
702KB

MD5
c32fd3aab4d0106699c8052525070c96

SHA1
84f614f3437d4c13886f88fbf6db0cf2a03fcac2

SHA256
ee0b1b458900f4f178da02c9be373f1c8137a54b890979a4280c65fe96c75ba7

SHA512
8f29cf1f397a8d50051034f7ddd5a1ae51e1f6733ffa18e32bf13a94a1eab74844afa3f4f4b0633efa1c9fc671ef03307ce2bac29fcbd8d2aa2c150ad0a66247

Download Submit
memory/456-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/456-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/456-132-0x0000000000000000-mapping.dmp

Download
memory/2184-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2184-138-0x0000000000000000-mapping.dmp

Download
memory/3612-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3612-146-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4204-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5024-143-0x0000000000000000-mapping.dmp

Download