131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45

Analysis

max time kernel
153s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
Size

687KB
MD5

5349282420c16ff192c08775a152b530
SHA1

05d0906c46da03c37574240b8d8bf447f0edef31
SHA256

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45
SHA512

cc28e186e1c52ef56f9d9c84ed6f9cd84e8a44b2d470dc139a4d2725dd7d02e3105bbf6dd711c6203a7f59bad31f4ed9310e3e8ef57587908e2de7d0f2e867cb
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

kyuhduo.exe~DFA250.tmprydedak.exe

pid process

2436 kyuhduo.exe
3376 ~DFA250.tmp
1292 rydedak.exe

pid	process
2436	kyuhduo.exe
3376	~DFA250.tmp
1292	rydedak.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

~DFA250.tmp131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DFA250.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

rydedak.exe

pid	process
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe
1292	rydedak.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA250.tmp

description pid process

Token: SeDebugPrivilege 3376 ~DFA250.tmp

description	pid	process
Token: SeDebugPrivilege	3376	~DFA250.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exekyuhduo.exe~DFA250.tmp

description	pid	process	target process
PID 4208 wrote to memory of 2436	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	kyuhduo.exe
PID 4208 wrote to memory of 2436	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	kyuhduo.exe
PID 4208 wrote to memory of 2436	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	kyuhduo.exe
PID 2436 wrote to memory of 3376	2436	kyuhduo.exe	~DFA250.tmp
PID 2436 wrote to memory of 3376	2436	kyuhduo.exe	~DFA250.tmp
PID 2436 wrote to memory of 3376	2436	kyuhduo.exe	~DFA250.tmp
PID 4208 wrote to memory of 5092	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 4208 wrote to memory of 5092	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 4208 wrote to memory of 5092	4208	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 3376 wrote to memory of 1292	3376	~DFA250.tmp	rydedak.exe
PID 3376 wrote to memory of 1292	3376	~DFA250.tmp	rydedak.exe
PID 3376 wrote to memory of 1292	3376	~DFA250.tmp	rydedak.exe

C:\Users\Admin\AppData\Local\Temp\131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
"C:\Users\Admin\AppData\Local\Temp\131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\kyuhduo.exe
  C:\Users\Admin\AppData\Local\Temp\kyuhduo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp OK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\rydedak.exe
      "C:\Users\Admin\AppData\Local\Temp\rydedak.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
fccb7de0664cb52883d6d048a907444b

SHA1
bd4482b3d28d1e7327669bdc8d9cfc29790ae33c

SHA256
da223929f1c03dd251a1ba7a801f8e8783e2710d28e724a593c2607a14b8c034

SHA512
1b798ef6bb845e33e4c30d47bed14cecf98211660778d50692c7f1176315e0210fa379aea6de910d88acf8dd30b804c2efeffd977769a7b348691972d6095627

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
da3da1557a5cbe35e842002e6dd0473f

SHA1
30774afa9a5d804a116b6c46a36cab8146746231

SHA256
dfbac6b467c2ddeff6b4219d648d2112f19447b547b1572f731eeb9750006120

SHA512
2a5c2a4e015f5478159cb3b40e064e796de984475e78cb57acdfaf0bb3ff5b362231b8835b93be43e52b896bea09a2b916114198c70b74c48b5ec5e6e6fffa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyuhduo.exe

Filesize
689KB

MD5
2c90c42e65b4484571293dafdceea168

SHA1
28d46fab43f868ee90293e17b9cbeb04fc4be748

SHA256
28ecbfe4b2dc8ae0b50047fd1c985e79885a6aef9b24a2dfcbc4877bd782554c

SHA512
44b514cf01eee115e00345d6ecbb477c290cf471dabe720762699fb47929c8976f47bcf76a92bdc7128189c773acb6041a99cb21cdc05df1b1860e6c7488bc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyuhduo.exe

Filesize
689KB

MD5
2c90c42e65b4484571293dafdceea168

SHA1
28d46fab43f868ee90293e17b9cbeb04fc4be748

SHA256
28ecbfe4b2dc8ae0b50047fd1c985e79885a6aef9b24a2dfcbc4877bd782554c

SHA512
44b514cf01eee115e00345d6ecbb477c290cf471dabe720762699fb47929c8976f47bcf76a92bdc7128189c773acb6041a99cb21cdc05df1b1860e6c7488bc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydedak.exe

Filesize
412KB

MD5
d74897e917b4586ee1028b6948885e9f

SHA1
955ae53eeab90c64c3acb9331ee2147b2112caec

SHA256
e76fb649e9c54fc6cbfa0152d8702b51609715a1689379318e195fb1c7b57f8c

SHA512
3d7389fc91e336966e25dbce217edcd30ab6f8ad9ce539bf79f8976470f2bca6d0b1cb2f3932a38c37b9d2638578259b806cb3ae8dc191bfb78cf13639ff4c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydedak.exe

Filesize
412KB

MD5
d74897e917b4586ee1028b6948885e9f

SHA1
955ae53eeab90c64c3acb9331ee2147b2112caec

SHA256
e76fb649e9c54fc6cbfa0152d8702b51609715a1689379318e195fb1c7b57f8c

SHA512
3d7389fc91e336966e25dbce217edcd30ab6f8ad9ce539bf79f8976470f2bca6d0b1cb2f3932a38c37b9d2638578259b806cb3ae8dc191bfb78cf13639ff4c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp

Filesize
692KB

MD5
6e3906a8a1c372b97c76091af2bef44d

SHA1
30c9ddc16aa499902e1065df1596ef4837ae2eb1

SHA256
553cc6f934a7e290780efe6bb3341fa8c2459d04cea9656432539021ac0bb5d0

SHA512
b5a0cdc46f4422d25a111d78f8b6a9e065ce5d7dcda61ecc6528175b0db50a2ebd49792914704d3dce45c69bf17a1135d1465a8ba723c2497ac66f5049219fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp

Filesize
692KB

MD5
6e3906a8a1c372b97c76091af2bef44d

SHA1
30c9ddc16aa499902e1065df1596ef4837ae2eb1

SHA256
553cc6f934a7e290780efe6bb3341fa8c2459d04cea9656432539021ac0bb5d0

SHA512
b5a0cdc46f4422d25a111d78f8b6a9e065ce5d7dcda61ecc6528175b0db50a2ebd49792914704d3dce45c69bf17a1135d1465a8ba723c2497ac66f5049219fbd

Download Submit
memory/1292-148-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1292-150-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1292-145-0x0000000000000000-mapping.dmp

Download
memory/2436-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2436-133-0x0000000000000000-mapping.dmp

Download
memory/3376-144-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3376-137-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4208-141-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5092-140-0x0000000000000000-mapping.dmp

Download