1a193a5c9a4cf2963018cad6b56e6b41b759ba1bff4331fbfcbb51eac0684a9b

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 07:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER_pdf.exe
Size

276KB
MD5

2c5e140fba34025bdb2fcc9c5d82765a
SHA1

7a0b2e0bf6b8948c454326d925bb8d68e841d198
SHA256

1a193a5c9a4cf2963018cad6b56e6b41b759ba1bff4331fbfcbb51eac0684a9b
SHA512

ebffe004508d6ddab38fcce72e9aa33f87ffa147d9d7230c535c039f9b5b493c3caccebbc43301d0cfe11015f7ec395667980676786bcd1d12e2d379ec399e14
SSDEEP

6144:/Ya6b0bLUriaI/ifhQXIMEHIUPDXO1wyVTCZRlDzYL:/Yp0bLUraC4IMEFD+1w+TCZzDzYL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	hujzesy.exe

Executes dropped EXE 2 IoCs

pid	Process
864	hujzesy.exe
404	hujzesy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 404	864	hujzesy.exe	87
PID 404 set thread context of 1292	404	hujzesy.exe	34
PID 2416 set thread context of 1292	2416	svchost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
864	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
404	hujzesy.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	hujzesy.exe
Token: SeDebugPrivilege	2416	svchost.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 864	396	PURCHASE ORDER_pdf.exe	86
PID 396 wrote to memory of 864	396	PURCHASE ORDER_pdf.exe	86
PID 396 wrote to memory of 864	396	PURCHASE ORDER_pdf.exe	86
PID 864 wrote to memory of 404	864	hujzesy.exe	87
PID 864 wrote to memory of 404	864	hujzesy.exe	87
PID 864 wrote to memory of 404	864	hujzesy.exe	87
PID 864 wrote to memory of 404	864	hujzesy.exe	87
PID 1292 wrote to memory of 2416	1292	Explorer.EXE	88
PID 1292 wrote to memory of 2416	1292	Explorer.EXE	88
PID 1292 wrote to memory of 2416	1292	Explorer.EXE	88
PID 2416 wrote to memory of 2752	2416	svchost.exe	95
PID 2416 wrote to memory of 2752	2416	svchost.exe	95
PID 2416 wrote to memory of 2752	2416	svchost.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_pdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\hujzesy.exe
    "C:\Users\Admin\AppData\Local\Temp\hujzesy.exe" C:\Users\Admin\AppData\Local\Temp\ddetjuz.c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\hujzesy.exe
      "C:\Users\Admin\AppData\Local\Temp\hujzesy.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:404
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddetjuz.c

Filesize
5KB

MD5
f6b2cafbcfe92beb0f9f5f7a48dd2df0

SHA1
28e02af341aa1e1d0c7fb44af1b9a8c2392028dc

SHA256
1baadcc39484f1cdc238baa54bfa767f7f194f2cc1dd13367a68f4c16c24a7ef

SHA512
a1c2bbc0f84be566a53a9f630cdecf291d5e8a39324dd6516a4f65f8dbc15beccd7f96e923a9190fa130aabc6d504d95a7ec3542a537b34d3030afe41cb7ce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\geygtgbe.lo

Filesize
205KB

MD5
7d82927f2bd91c7b539c3bf09066ac29

SHA1
d6c9331ce9c0a8036dd5e1d3361da5871bb48c34

SHA256
2e84a4bfeb30ebaab7d55d68b0525159d666bb1e27a760845ddb31a9fa8dcad9

SHA512
2cbd32f96f6653e3edb7daeceb2ed5f2df0068630a57f22b3fbad041f71cc40fdd259b49eaed62f1b18aca953b0421556d49b24185c94c182d60d3dba86639c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hujzesy.exe

Filesize
60KB

MD5
5b07b8ef28f2a26b8a8a30e86944f7c9

SHA1
4c923be0ef7fabdabfdc9735997c67947902ad0c

SHA256
8d873afc7d3b2158944b7d74cc2a19739dbd49b7a2e5b408a2fe331106788a17

SHA512
b18d0a37e60447a97099dd8f68061283fe2f83e443e5ab48abe68b5de6f23c13a167fe90d25d3a39ad3a6b5f4e5cdec06223b6ab2fb8acdf7b69c09310bf291b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hujzesy.exe

Filesize
60KB

MD5
5b07b8ef28f2a26b8a8a30e86944f7c9

SHA1
4c923be0ef7fabdabfdc9735997c67947902ad0c

SHA256
8d873afc7d3b2158944b7d74cc2a19739dbd49b7a2e5b408a2fe331106788a17

SHA512
b18d0a37e60447a97099dd8f68061283fe2f83e443e5ab48abe68b5de6f23c13a167fe90d25d3a39ad3a6b5f4e5cdec06223b6ab2fb8acdf7b69c09310bf291b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hujzesy.exe

Filesize
60KB

MD5
5b07b8ef28f2a26b8a8a30e86944f7c9

SHA1
4c923be0ef7fabdabfdc9735997c67947902ad0c

SHA256
8d873afc7d3b2158944b7d74cc2a19739dbd49b7a2e5b408a2fe331106788a17

SHA512
b18d0a37e60447a97099dd8f68061283fe2f83e443e5ab48abe68b5de6f23c13a167fe90d25d3a39ad3a6b5f4e5cdec06223b6ab2fb8acdf7b69c09310bf291b

Download Submit
memory/404-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-147-0x0000000000EA0000-0x00000000011EA000-memory.dmp

Filesize
3.3MB

Download
memory/404-148-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/404-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-187-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-198-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-239-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/1292-238-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/1292-237-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/1292-231-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-160-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-161-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-162-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-163-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-164-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-166-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-169-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-170-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-171-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-172-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-173-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-175-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-176-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-177-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-179-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-180-0x00000000081C0000-0x00000000082B6000-memory.dmp

Filesize
984KB

Download
memory/1292-182-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-183-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-181-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-185-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-186-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-149-0x0000000002D60000-0x0000000002E41000-memory.dmp

Filesize
900KB

Download
memory/1292-193-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-194-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-195-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-196-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-197-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-157-0x00000000081C0000-0x00000000082B6000-memory.dmp

Filesize
984KB

Download
memory/1292-199-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-200-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-201-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-202-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-203-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-204-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-205-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-206-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-207-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-208-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-209-0x00000000074B0000-0x00000000074B2000-memory.dmp

Filesize
8KB

Download
memory/1292-210-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-211-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-213-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-214-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-215-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/1292-221-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-222-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-223-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-226-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-225-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-224-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-227-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-229-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-228-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-230-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/2416-154-0x00000000009C0000-0x00000000009ED000-memory.dmp

Filesize
180KB

Download
memory/2416-153-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/2416-150-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/2416-156-0x00000000012D0000-0x000000000135F000-memory.dmp

Filesize
572KB

Download