fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3

Analysis

max time kernel
152s
max time network
81s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe
Size

676KB
MD5

53710fcf13c55244b8b28308aa535790
SHA1

71f5707b3de0d7d5cdf5721c9dc596565b1aeaf4
SHA256

fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3
SHA512

c075561538fc9030755b3dd8009894049c13df82ee4aab4262f0bb1e0dba51ae5484e8ccea63026214f451924536df157f2846e24b99e4491c0b00bff614f67b
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1912	wygowiu.exe
1424	~DFA55.tmp
1188	ajxuriu.exe

Deletes itself 1 IoCs

pid	Process
1772	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe
1912	wygowiu.exe
1424	~DFA55.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe
1188	ajxuriu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	~DFA55.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1912	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	28
PID 1112 wrote to memory of 1912	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	28
PID 1112 wrote to memory of 1912	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	28
PID 1112 wrote to memory of 1912	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	28
PID 1912 wrote to memory of 1424	1912	wygowiu.exe	29
PID 1912 wrote to memory of 1424	1912	wygowiu.exe	29
PID 1912 wrote to memory of 1424	1912	wygowiu.exe	29
PID 1912 wrote to memory of 1424	1912	wygowiu.exe	29
PID 1112 wrote to memory of 1772	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	31
PID 1112 wrote to memory of 1772	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	31
PID 1112 wrote to memory of 1772	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	31
PID 1112 wrote to memory of 1772	1112	fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe	31
PID 1424 wrote to memory of 1188	1424	~DFA55.tmp	32
PID 1424 wrote to memory of 1188	1424	~DFA55.tmp	32
PID 1424 wrote to memory of 1188	1424	~DFA55.tmp	32
PID 1424 wrote to memory of 1188	1424	~DFA55.tmp	32

C:\Users\Admin\AppData\Local\Temp\fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe
"C:\Users\Admin\AppData\Local\Temp\fba1d7fef6d563c843efdbb38d1351d24e4126cb701e737e941d23b833a35bc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\wygowiu.exe
  C:\Users\Admin\AppData\Local\Temp\wygowiu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\~DFA55.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA55.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\ajxuriu.exe
      "C:\Users\Admin\AppData\Local\Temp\ajxuriu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
9d03df1a932e95c281b176da1d180931

SHA1
5a1d9e8eca38d0e12f3f704c055530c28d1bc73f

SHA256
0f9c92343dc6ebc389bce72dc4f2c720d083c488aa96c5f3a1362c935fecaf62

SHA512
c9384acbc166e8421d45309a2bcf0c3efc71141d690119430236ba7657eb23175fed67b825d273f26db568a1b550fd1d8ee1a2902e28e374cf1113292521c2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajxuriu.exe

Filesize
419KB

MD5
4599d908ad16c4afc32933da3650fbfd

SHA1
2738dd298da3f3e3a717472a1deb1f1ab15d61ea

SHA256
0a0d988375c4bbb98097a8283ad897a124c4706481fd91ce73e47d562a14a018

SHA512
b63bfcc52263dec9b95d21a7a2e2580955cac75aca90009a41d258f018032d352944e6cb94b37d119325829c24e1623773e8f203f08f4c2f208af8a660cd9a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
ec2c1c741794afc05c1685d7fd1b3cb6

SHA1
267b4fb5ec84d804fa2de0895dbb183ac0ef7408

SHA256
f5e28a144a648cc09794edd6573a76b010aab1efdd99669ba92929b07874dff9

SHA512
095637006e10fabbc8f2f8b9ace7c19c040a7c8184b2a631eb141f1c7c950e139fa67b183e8d255a778e392afce04c40e9d96eacf3774c43f6da08ce4aff018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygowiu.exe

Filesize
680KB

MD5
0cf23edd1a4a1a57d861d1a6f6c155b8

SHA1
628f1cd3c94ad3af5759d59f2301c6b1bde8e174

SHA256
3a2f82139b3841ac7bb51bca87df280967c21880eea79ee2f4028ebbc88a221b

SHA512
78ecf34af7cec0f95b4ca8e22652c63bd9ddf73f1ca4622434b7fcadec834e8b6f570f9d569ceed05fdac0d2dcd2668d57832d72a4c01acddeada012701a620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygowiu.exe

Filesize
680KB

MD5
0cf23edd1a4a1a57d861d1a6f6c155b8

SHA1
628f1cd3c94ad3af5759d59f2301c6b1bde8e174

SHA256
3a2f82139b3841ac7bb51bca87df280967c21880eea79ee2f4028ebbc88a221b

SHA512
78ecf34af7cec0f95b4ca8e22652c63bd9ddf73f1ca4622434b7fcadec834e8b6f570f9d569ceed05fdac0d2dcd2668d57832d72a4c01acddeada012701a620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA55.tmp

Filesize
685KB

MD5
d0dd95b506cafd22b4a9d7163b90c81b

SHA1
0b13d753dd067134b404e1f125f975edb765239f

SHA256
fc8aa19709b5d50359483ba27f59379c76ad5b822d3a115dfe530d8cb1765857

SHA512
56fb0ebc8f8a2ec8ac923c616dee7617304bee41c667ce0937de72a06d0542dd83271e33da83b8ae8ffd0ef7d96c4deb402b02b37fa6ff1d670fe27aea586a94

Download Submit
\Users\Admin\AppData\Local\Temp\ajxuriu.exe

Filesize
419KB

MD5
4599d908ad16c4afc32933da3650fbfd

SHA1
2738dd298da3f3e3a717472a1deb1f1ab15d61ea

SHA256
0a0d988375c4bbb98097a8283ad897a124c4706481fd91ce73e47d562a14a018

SHA512
b63bfcc52263dec9b95d21a7a2e2580955cac75aca90009a41d258f018032d352944e6cb94b37d119325829c24e1623773e8f203f08f4c2f208af8a660cd9a7e

Download Submit
\Users\Admin\AppData\Local\Temp\wygowiu.exe

Filesize
680KB

MD5
0cf23edd1a4a1a57d861d1a6f6c155b8

SHA1
628f1cd3c94ad3af5759d59f2301c6b1bde8e174

SHA256
3a2f82139b3841ac7bb51bca87df280967c21880eea79ee2f4028ebbc88a221b

SHA512
78ecf34af7cec0f95b4ca8e22652c63bd9ddf73f1ca4622434b7fcadec834e8b6f570f9d569ceed05fdac0d2dcd2668d57832d72a4c01acddeada012701a620a

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA55.tmp

Filesize
685KB

MD5
d0dd95b506cafd22b4a9d7163b90c81b

SHA1
0b13d753dd067134b404e1f125f975edb765239f

SHA256
fc8aa19709b5d50359483ba27f59379c76ad5b822d3a115dfe530d8cb1765857

SHA512
56fb0ebc8f8a2ec8ac923c616dee7617304bee41c667ce0937de72a06d0542dd83271e33da83b8ae8ffd0ef7d96c4deb402b02b37fa6ff1d670fe27aea586a94

Download Submit
memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1112-68-0x0000000001E20000-0x0000000001EFE000-memory.dmp

Filesize
888KB

Download
memory/1112-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1112-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1188-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1188-76-0x0000000000000000-mapping.dmp

Download
memory/1424-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1424-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1424-78-0x0000000003630000-0x000000000376E000-memory.dmp

Filesize
1.2MB

Download
memory/1424-63-0x0000000000000000-mapping.dmp

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1912-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-71-0x0000000002BA0000-0x0000000002C7E000-memory.dmp

Filesize
888KB

Download
memory/1912-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-57-0x0000000000000000-mapping.dmp

Download