a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a

Analysis

max time kernel
149s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
Size

652KB
MD5

6f3a1629c1e04c51b66eb63887f22e70
SHA1

fad3f8da060b92a81f9cfdeb2a6b0d7ed1a64067
SHA256

a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a
SHA512

4e3dea7c6d0f1933ba965d2925223aae2bb2a727fa3a653e3d1c1cf7af41dc8af56dafc8169484750f128217404b1b633bfd95e6fa33ef7e2baa460fee3ba5b8
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2044	ofvuja.exe
368	~DFA5B.tmp
1236	jyozna.exe

Deletes itself 1 IoCs

pid	Process
560	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
2044	ofvuja.exe
368	~DFA5B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe
1236	jyozna.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	~DFA5B.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2044	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	26
PID 2016 wrote to memory of 2044	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	26
PID 2016 wrote to memory of 2044	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	26
PID 2016 wrote to memory of 2044	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	26
PID 2044 wrote to memory of 368	2044	ofvuja.exe	27
PID 2044 wrote to memory of 368	2044	ofvuja.exe	27
PID 2044 wrote to memory of 368	2044	ofvuja.exe	27
PID 2044 wrote to memory of 368	2044	ofvuja.exe	27
PID 2016 wrote to memory of 560	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	28
PID 2016 wrote to memory of 560	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	28
PID 2016 wrote to memory of 560	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	28
PID 2016 wrote to memory of 560	2016	a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe	28
PID 368 wrote to memory of 1236	368	~DFA5B.tmp	30
PID 368 wrote to memory of 1236	368	~DFA5B.tmp	30
PID 368 wrote to memory of 1236	368	~DFA5B.tmp	30
PID 368 wrote to memory of 1236	368	~DFA5B.tmp	30

C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe
"C:\Users\Admin\AppData\Local\Temp\a667a6edf2ca03237aeb69702fb4fb686d6b21b6aa8774555d0d429a18025f8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\ofvuja.exe
  C:\Users\Admin\AppData\Local\Temp\ofvuja.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\~DFA5B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5B.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\jyozna.exe
      "C:\Users\Admin\AppData\Local\Temp\jyozna.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a3afb3a72a76309fdb7b5edfbf8174bd

SHA1
14c989e990b45ccbffb11842c1b01f7794796109

SHA256
6a25d4cd25b72dc540940112509ec579167c59d46eb3b6b5050659c21d9e5db2

SHA512
8e2c01e83f05f3af185cc142ac9a029beda69a2923b4505058cb840d12ec15047cdf4ced409fb61e23816c32e4c40704eae1bfe43b0cf9af8fc7c10fdcf41a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b52a355190cece1691a59036e0b346ed

SHA1
132b8830f17f67c49d9dc6ce3a65c68042aeb59a

SHA256
766ed905f5a902362b508f8101b2c2d47d5c1682fab22cf037baabb26f3e2fad

SHA512
bb4e6179efb5ecbecd4a775e26c3ed2e7999ec8624f105780873f7bbc8314f1aa3badc56280a082b1092446dd3bd00d871a67eac944657f3444729fa56188b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyozna.exe

Filesize
402KB

MD5
0a1e49dc2a186b5d56203278c6d9877c

SHA1
bc8644e70853dde1f83a1b0c4b737f318a132739

SHA256
df5fb10d7e7a771b88ac14cc3b6292b4490540ff326f51a4bf76c8a36b73b560

SHA512
f91fc7dce37a9f54be7798a3c207803282a05831df7619af2833d54f404995238eb07dfc447a7724aafdbfdaaa1f1e113c6ef19f69771a5e4c052a54f3e5ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofvuja.exe

Filesize
653KB

MD5
011072872ee68700e065da7880f17cac

SHA1
59f2b27219a488c1e06438c4d20ffb6622d09a36

SHA256
3dd5244ba5f87d8ce15d3ce62c634bbad9c1bc48b126b12f269c86a0817c9096

SHA512
746214ca7a7fe8272b7bc6e579a67b1b906924f6d6c36d7e9d80c2b20b23582381d6a4ef2f54e1c9c7f09a45bd39857ef2373978d3ec829664c490d8d5765e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofvuja.exe

Filesize
653KB

MD5
011072872ee68700e065da7880f17cac

SHA1
59f2b27219a488c1e06438c4d20ffb6622d09a36

SHA256
3dd5244ba5f87d8ce15d3ce62c634bbad9c1bc48b126b12f269c86a0817c9096

SHA512
746214ca7a7fe8272b7bc6e579a67b1b906924f6d6c36d7e9d80c2b20b23582381d6a4ef2f54e1c9c7f09a45bd39857ef2373978d3ec829664c490d8d5765e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5B.tmp

Filesize
655KB

MD5
c3a5f4c452b2cc45a91e3c1cbb1aea1d

SHA1
0723b0145c420c3ceff7fc7f1cbc071f57e5a7e8

SHA256
b17b650ab825e53d8add59da66a941cf6bd2456acc686336b480b932e01243f8

SHA512
ea7434a2e163581765a9485600f1817c8c1bea245dc64d17d4a0a86f89f9dacbb433671b190d369cfad459f9ae03d1cf9a2a30eb1a3d100737d77c3457a51b00

Download Submit
\Users\Admin\AppData\Local\Temp\jyozna.exe

Filesize
402KB

MD5
0a1e49dc2a186b5d56203278c6d9877c

SHA1
bc8644e70853dde1f83a1b0c4b737f318a132739

SHA256
df5fb10d7e7a771b88ac14cc3b6292b4490540ff326f51a4bf76c8a36b73b560

SHA512
f91fc7dce37a9f54be7798a3c207803282a05831df7619af2833d54f404995238eb07dfc447a7724aafdbfdaaa1f1e113c6ef19f69771a5e4c052a54f3e5ec00

Download Submit
\Users\Admin\AppData\Local\Temp\ofvuja.exe

Filesize
653KB

MD5
011072872ee68700e065da7880f17cac

SHA1
59f2b27219a488c1e06438c4d20ffb6622d09a36

SHA256
3dd5244ba5f87d8ce15d3ce62c634bbad9c1bc48b126b12f269c86a0817c9096

SHA512
746214ca7a7fe8272b7bc6e579a67b1b906924f6d6c36d7e9d80c2b20b23582381d6a4ef2f54e1c9c7f09a45bd39857ef2373978d3ec829664c490d8d5765e88

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5B.tmp

Filesize
655KB

MD5
c3a5f4c452b2cc45a91e3c1cbb1aea1d

SHA1
0723b0145c420c3ceff7fc7f1cbc071f57e5a7e8

SHA256
b17b650ab825e53d8add59da66a941cf6bd2456acc686336b480b932e01243f8

SHA512
ea7434a2e163581765a9485600f1817c8c1bea245dc64d17d4a0a86f89f9dacbb433671b190d369cfad459f9ae03d1cf9a2a30eb1a3d100737d77c3457a51b00

Download Submit
memory/368-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/368-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/368-79-0x0000000003610000-0x000000000374E000-memory.dmp

Filesize
1.2MB

Download
memory/1236-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2016-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2016-68-0x0000000001ED0000-0x0000000001FAE000-memory.dmp

Filesize
888KB

Download
memory/2016-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2044-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-71-0x0000000002140000-0x000000000221E000-memory.dmp

Filesize
888KB

Download