c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b

Analysis

max time kernel
161s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe
Size

583KB
MD5

af3b6afac1b6b96019ee02d4a8fbd271
SHA1

232132dfda4e6781743158c9e8380d0ad363c926
SHA256

c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b
SHA512

1082c36d44360a4256050eca5851f3cadf59ce4e77262e2048319bbdea261123de9bf249ebfcae0fa4e615123c265ee1b65fe2ed62e4e65c3de2993e67c77c71
SSDEEP

6144:eajY1oC+/U8Vjlx4kk9HKda4L383j8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQa:uOlx4kk9HKda4Y38oSiQi4kVdcQzjX

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
860	evuff.exe
3696	iqfuf.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1704-132-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/files/0x0006000000022e15-135.dat	upx
behavioral2/files/0x0006000000022e15-134.dat	upx
behavioral2/memory/1704-137-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/860-139-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/860-141-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/860-145-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	evuff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe
3696	iqfuf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3696	iqfuf.exe
Token: SeIncBasePriorityPrivilege	3696	iqfuf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 860	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	81
PID 1704 wrote to memory of 860	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	81
PID 1704 wrote to memory of 860	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	81
PID 1704 wrote to memory of 2016	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	82
PID 1704 wrote to memory of 2016	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	82
PID 1704 wrote to memory of 2016	1704	c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe	82
PID 860 wrote to memory of 3696	860	evuff.exe	85
PID 860 wrote to memory of 3696	860	evuff.exe	85
PID 860 wrote to memory of 3696	860	evuff.exe	85

C:\Users\Admin\AppData\Local\Temp\c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe
"C:\Users\Admin\AppData\Local\Temp\c0fb5cb88fd97448157f4c8505a366646f03a8173626b94702fa9aa6b66a746b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\evuff.exe
  "C:\Users\Admin\AppData\Local\Temp\evuff.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\iqfuf.exe
    "C:\Users\Admin\AppData\Local\Temp\iqfuf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d723c5ae558fa067a1fa23b7cf08fef3

SHA1
00425ae691734dc4d0f1eb0314535bcc2d70930d

SHA256
2ba61758676a3d34ce229faac56cd6e64f982c7bff0008f61879dbb5c52844c0

SHA512
b8957cd6725cd6e5c6dc7edd962e92547646aacded70413c4788b07fa0e1287a452d18ec7937294ddc814279807ccff569f6e51e65ddae209e50f2727b4b8451

Download Submit
C:\Users\Admin\AppData\Local\Temp\evuff.exe

Filesize
583KB

MD5
04fa2915ebf83dc63bf46930ef72b446

SHA1
e99c5dd723e39a6c29f055b6557fc3d3b98a14e7

SHA256
91659e06b097a8342d5909bf64afaaebb637eed4f21615ad2721eb73cb448f77

SHA512
08c8d4f3529939f67768a2e087308f083cba9d56d84b529b8a629ba97c3b4aee6c6f76052cc4eb3df31887d70dc299724e95a92c70197ca7316710fd9fee1304

Download Submit
C:\Users\Admin\AppData\Local\Temp\evuff.exe

Filesize
583KB

MD5
04fa2915ebf83dc63bf46930ef72b446

SHA1
e99c5dd723e39a6c29f055b6557fc3d3b98a14e7

SHA256
91659e06b097a8342d5909bf64afaaebb637eed4f21615ad2721eb73cb448f77

SHA512
08c8d4f3529939f67768a2e087308f083cba9d56d84b529b8a629ba97c3b4aee6c6f76052cc4eb3df31887d70dc299724e95a92c70197ca7316710fd9fee1304

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0178593b098cd94e3eeaee5c1f61fe0e

SHA1
a97bc48bd96d4645201f2e5bd42178e86d619689

SHA256
8106967835aeb1f850119a99fa9659676c383ed29c1f0cf76747f5ab9aef579a

SHA512
5ca8751cbe3fb3eea4f76bfe926af315482a49fd8b429fdfc301f6f0a3e6d19a3fdc015672c70ea51bfba4c2a8e5c67bf7e93c6312ad9706446b9be3363d74b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqfuf.exe

Filesize
201KB

MD5
8de303f828a8df6c45c187b9da4a38aa

SHA1
84d668564b22c91691f21ad047611e85e3f90e07

SHA256
9aa3f2ad17cb7fc9dea27c4b6238b02a6b48a1ce611b31513f6bf470fcef832a

SHA512
27a51dedb0b5b0d2b9d148b17878d6517b4d69231b01a479af94966aeab19f30472c6d5d4f517d33275ed8b139b595f91cfda1725d911533380f8263bde960e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqfuf.exe

Filesize
201KB

MD5
8de303f828a8df6c45c187b9da4a38aa

SHA1
84d668564b22c91691f21ad047611e85e3f90e07

SHA256
9aa3f2ad17cb7fc9dea27c4b6238b02a6b48a1ce611b31513f6bf470fcef832a

SHA512
27a51dedb0b5b0d2b9d148b17878d6517b4d69231b01a479af94966aeab19f30472c6d5d4f517d33275ed8b139b595f91cfda1725d911533380f8263bde960e8

Download Submit
memory/860-139-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/860-141-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/860-145-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1704-137-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1704-132-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3696-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download