511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63

Analysis

max time kernel
158s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
Size

654KB
MD5

5cafcabc8d5c1d896f6cce30a37d09d0
SHA1

4622348bc5afd2c6a698fcce93ec12724d1e90f8
SHA256

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63
SHA512

f722acc012b6c73a616a1c8bbcb38cfa6f4d4adbf3d482ad7d5dfa7b58754f06a6ead88bd0413c4694a63f71135afa1de98da0afabfa0d91b42000c6642dd04e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

duvauf.exe~DFA251.tmpgurobu.exe

pid process

4856 duvauf.exe
384 ~DFA251.tmp
4172 gurobu.exe

pid	process
4856	duvauf.exe
384	~DFA251.tmp
4172	gurobu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~DFA251.tmp511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	~DFA251.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

gurobu.exe

pid	process
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe
4172	gurobu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA251.tmp

description pid process

Token: SeDebugPrivilege 384 ~DFA251.tmp

description	pid	process
Token: SeDebugPrivilege	384	~DFA251.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exeduvauf.exe~DFA251.tmp

description	pid	process	target process
PID 4960 wrote to memory of 4856	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	duvauf.exe
PID 4960 wrote to memory of 4856	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	duvauf.exe
PID 4960 wrote to memory of 4856	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	duvauf.exe
PID 4856 wrote to memory of 384	4856	duvauf.exe	~DFA251.tmp
PID 4856 wrote to memory of 384	4856	duvauf.exe	~DFA251.tmp
PID 4856 wrote to memory of 384	4856	duvauf.exe	~DFA251.tmp
PID 4960 wrote to memory of 4464	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 4960 wrote to memory of 4464	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 4960 wrote to memory of 4464	4960	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 384 wrote to memory of 4172	384	~DFA251.tmp	gurobu.exe
PID 384 wrote to memory of 4172	384	~DFA251.tmp	gurobu.exe
PID 384 wrote to memory of 4172	384	~DFA251.tmp	gurobu.exe

C:\Users\Admin\AppData\Local\Temp\511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
"C:\Users\Admin\AppData\Local\Temp\511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\duvauf.exe
  C:\Users\Admin\AppData\Local\Temp\duvauf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\gurobu.exe
      "C:\Users\Admin\AppData\Local\Temp\gurobu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e86091326727f7ccc4c6c502f75a9328

SHA1
a68bd77df15c5cdc46d1428a0c3a82376ca55d84

SHA256
e78d0cb12706d2bf82b1062a8a9af9d5dceef9a4ce99da54a8cf4f3ccd4529bf

SHA512
6beb52e669aa40c8b07d9f60c9a397684a1cf87ebb20590ff3ab8428f22259e24987e75a48c11c5b8d7ed9e1596c636bfea316f828721e4a58cd99fb177ea2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\duvauf.exe

Filesize
661KB

MD5
c6b1513e8724393a6a47282ce6d27081

SHA1
7edb4bf2dbc0dc4e54814355cbd471b48d271020

SHA256
f7b4dc188c71da9570d51791c7b6c191e69b038c40e0c88f3649a144dec998de

SHA512
295707a542998a426dd3db9671569754e42ff028abcbdd1e04960e898b54a99585bdca675b2136fd0b37481e18626d8773745f70971922fc84de928dd4386a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\duvauf.exe

Filesize
661KB

MD5
c6b1513e8724393a6a47282ce6d27081

SHA1
7edb4bf2dbc0dc4e54814355cbd471b48d271020

SHA256
f7b4dc188c71da9570d51791c7b6c191e69b038c40e0c88f3649a144dec998de

SHA512
295707a542998a426dd3db9671569754e42ff028abcbdd1e04960e898b54a99585bdca675b2136fd0b37481e18626d8773745f70971922fc84de928dd4386a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
bcfb18f20ee01e68992346e3572473db

SHA1
00e757df04fc032e42233660e4abb2149b5343c9

SHA256
e86e4759748253b95c81a0ff2ce3c100c4b99ea053e271de29cafcb1d9d9d75a

SHA512
6c23c3c5c7e98bc6a16a58df9176fea8663c3181efed466c6de1f23e40c946d3b0df294c31d043c9d538ef650be98e9e266825f011dc4fbe0c3cf9a826eaff12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gurobu.exe

Filesize
371KB

MD5
1e3d14cca4d979a47972936e0cf25545

SHA1
df2257272c59235f6e8a5c7de1e22102b996ad55

SHA256
ec50603e4c57d138811c3b736ecb0fd6e8dd9cf04e11442189eeba1baa01dd5a

SHA512
64110de5fcb0bca5d5bf91366844d397031660079a016cc861aeb65c062f1cc7a4d8accde8837fdbaf0c90a4ab456cb2b72a0171a7dd1c98cb905bfbbf2effde

Download Submit
C:\Users\Admin\AppData\Local\Temp\gurobu.exe

Filesize
371KB

MD5
1e3d14cca4d979a47972936e0cf25545

SHA1
df2257272c59235f6e8a5c7de1e22102b996ad55

SHA256
ec50603e4c57d138811c3b736ecb0fd6e8dd9cf04e11442189eeba1baa01dd5a

SHA512
64110de5fcb0bca5d5bf91366844d397031660079a016cc861aeb65c062f1cc7a4d8accde8837fdbaf0c90a4ab456cb2b72a0171a7dd1c98cb905bfbbf2effde

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp

Filesize
664KB

MD5
a580c0c868e541738449d543f357c904

SHA1
da10a29d21663cdadd5c11bf83806c6d52cc7d1c

SHA256
704c89a19d75c5f312d13f7d5216d3ad9adb16216718f93d689dbb468744b09d

SHA512
c4ff82a3ef9186d8c22b34e707bf801ac0b30de803d294770490866a4a8e812d9320a5318f6a106d8a443e9fa7fd7570fbbb5ba852a22ae10fe7560378218f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA251.tmp

Filesize
664KB

MD5
a580c0c868e541738449d543f357c904

SHA1
da10a29d21663cdadd5c11bf83806c6d52cc7d1c

SHA256
704c89a19d75c5f312d13f7d5216d3ad9adb16216718f93d689dbb468744b09d

SHA512
c4ff82a3ef9186d8c22b34e707bf801ac0b30de803d294770490866a4a8e812d9320a5318f6a106d8a443e9fa7fd7570fbbb5ba852a22ae10fe7560378218f18

Download Submit
memory/384-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/384-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/384-139-0x0000000000000000-mapping.dmp

Download
memory/4172-148-0x0000000000000000-mapping.dmp

Download
memory/4172-151-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4172-153-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4464-145-0x0000000000000000-mapping.dmp

Download
memory/4856-143-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4856-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4856-133-0x0000000000000000-mapping.dmp

Download
memory/4960-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4960-146-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4960-138-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download