5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665

Analysis

max time kernel
172s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe
Size

662KB
MD5

5b14f1666fed287f272a240154857250
SHA1

8b8b355715f7086fe0834aad0b04cdb26a5d462e
SHA256

5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665
SHA512

824a8aa97e353825b22559e71661174ddd83d0fd9df67881821e9cdb26a4325b004107cfc3ffce4a5a263dbad197b8d83ef74938ef25a7fc37e44793b31ac8e7
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

hekili.exe~DFA239.tmpyhdyni.exe

pid process

4768 hekili.exe
3496 ~DFA239.tmp
4464 yhdyni.exe

pid	process
4768	hekili.exe
3496	~DFA239.tmp
4464	yhdyni.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe~DFA239.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	~DFA239.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

yhdyni.exe

pid	process
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe
4464	yhdyni.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA239.tmp

description pid process

Token: SeDebugPrivilege 3496 ~DFA239.tmp

description	pid	process
Token: SeDebugPrivilege	3496	~DFA239.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exehekili.exe~DFA239.tmp

description	pid	process	target process
PID 1912 wrote to memory of 4768	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	hekili.exe
PID 1912 wrote to memory of 4768	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	hekili.exe
PID 1912 wrote to memory of 4768	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	hekili.exe
PID 4768 wrote to memory of 3496	4768	hekili.exe	~DFA239.tmp
PID 4768 wrote to memory of 3496	4768	hekili.exe	~DFA239.tmp
PID 4768 wrote to memory of 3496	4768	hekili.exe	~DFA239.tmp
PID 1912 wrote to memory of 4216	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	cmd.exe
PID 1912 wrote to memory of 4216	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	cmd.exe
PID 1912 wrote to memory of 4216	1912	5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe	cmd.exe
PID 3496 wrote to memory of 4464	3496	~DFA239.tmp	yhdyni.exe
PID 3496 wrote to memory of 4464	3496	~DFA239.tmp	yhdyni.exe
PID 3496 wrote to memory of 4464	3496	~DFA239.tmp	yhdyni.exe

C:\Users\Admin\AppData\Local\Temp\5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe
"C:\Users\Admin\AppData\Local\Temp\5995973562a9596e610b5f6c846a6739346226f03d74d35b15c795e6513ef665.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\hekili.exe
C:\Users\Admin\AppData\Local\Temp\hekili.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp OK
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\yhdyni.exe
"C:\Users\Admin\AppData\Local\Temp\yhdyni.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
86abecc7751c43eb2e9d6e772ffcd106

SHA1
529c4f496fe6e2db5b8fa03ef0f655ee944da044

SHA256
ba3977b2095f2b0118dd0cdb3468444415b0486f6bc9ae0bcf378c184dda9956

SHA512
cab22572b231743a5fb275107eb3f8d19b627d3706ebc5773e878ceb2c2162d9e5a42fb3344d0b5928258a099334a0164a81e232879922cfcb985bb8e286d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
75dd1590819ddf0e2a0f7bca010356a1

SHA1
47d099b2e59270ef5aeadf17e2b1651ad83efcd7

SHA256
ef7652b0e247fd0e3b266f7cd736ef3dd650fc3f5cba17c40dec5d13aaae9906

SHA512
913a9a82867fd50eb1728dcf14a02f817aaa64115d9fb74ebca3d59ad9ec1915d80fbac95fab6b700838cc3a1fe7fb0478ab311d59bc5756d2bad9fad5ed84a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hekili.exe
Filesize
672KB

MD5
71b33b2a3e4c643f53fed55f88790500

SHA1
d5c66321969378cc66bf7d3650d748b6edab03db

SHA256
59e48bb92defecedd9a1ed58177a41677e4e8615125b6a70940a31b4c9589f9c

SHA512
f8414e6a3d2e0a4d842ebf9467e15877163ca8438397c6abb34f2d64d668060cf8343cbb47cc962e4a2f7b971ca5f90a533b875a283073f93859d0355cf45173

Download Submit
C:\Users\Admin\AppData\Local\Temp\hekili.exe
Filesize
672KB

MD5
71b33b2a3e4c643f53fed55f88790500

SHA1
d5c66321969378cc66bf7d3650d748b6edab03db

SHA256
59e48bb92defecedd9a1ed58177a41677e4e8615125b6a70940a31b4c9589f9c

SHA512
f8414e6a3d2e0a4d842ebf9467e15877163ca8438397c6abb34f2d64d668060cf8343cbb47cc962e4a2f7b971ca5f90a533b875a283073f93859d0355cf45173

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhdyni.exe
Filesize
399KB

MD5
f2e4fb0023d28e4527fc582d082df1db

SHA1
88a14d77c8ba237fc3803716051efa1c5a61a2cc

SHA256
b91c4c4090bc98c1559ae7f922d8a00047d72712b8f00bf5e176281ee8b5a4ef

SHA512
2e4aace4a48c580efcaea2e60b15837365f0ade050bcd926cb37be06f8a40f1cbf4010181dfd3d5cf9ece15c19129d0873feede2cf82f1cb4038b20adcfd449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhdyni.exe
Filesize
399KB

MD5
f2e4fb0023d28e4527fc582d082df1db

SHA1
88a14d77c8ba237fc3803716051efa1c5a61a2cc

SHA256
b91c4c4090bc98c1559ae7f922d8a00047d72712b8f00bf5e176281ee8b5a4ef

SHA512
2e4aace4a48c580efcaea2e60b15837365f0ade050bcd926cb37be06f8a40f1cbf4010181dfd3d5cf9ece15c19129d0873feede2cf82f1cb4038b20adcfd449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp
Filesize
681KB

MD5
d18462832396ebb761b5259415a26c3b

SHA1
bdc299890fee1281440c5749f67e5d111ce42e19

SHA256
feba0923806a098cad23695122fa8f1e134a2383ba72667ef9dd829d8538065f

SHA512
efc0660caeb70dab0438708d4c16667834a371f0b6b111611bd4ff6c3a949762731b372d59f841ee5f61dac4f72927c57983843e2541010f22d7efe9db77eefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA239.tmp
Filesize
681KB

MD5
d18462832396ebb761b5259415a26c3b

SHA1
bdc299890fee1281440c5749f67e5d111ce42e19

SHA256
feba0923806a098cad23695122fa8f1e134a2383ba72667ef9dd829d8538065f

SHA512
efc0660caeb70dab0438708d4c16667834a371f0b6b111611bd4ff6c3a949762731b372d59f841ee5f61dac4f72927c57983843e2541010f22d7efe9db77eefc

Download Submit
memory/1912-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3496-137-0x0000000000000000-mapping.dmp

Download
memory/3496-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3496-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4216-143-0x0000000000000000-mapping.dmp

Download
memory/4464-147-0x0000000000000000-mapping.dmp

Download
memory/4464-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4768-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4768-140-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4768-133-0x0000000000000000-mapping.dmp

Download