dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889

Analysis

max time kernel
152s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
Size

648KB
MD5

6ff0b369bec9860c453265df4ce19d50
SHA1

beaac1b2427f610c99136f379b776f9c0224f9b3
SHA256

dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889
SHA512

c01220d0a81f6e4d8c04516285d02e731df9b13356df224c3358c4981e86c74fc37a1dfa0a89c64db46a6d2da7bb17f3cb805506858642e4733f9f14b0f124ac
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1372	yldige.exe
1688	~DFA50.tmp
340	adzuxy.exe

Deletes itself 1 IoCs

pid	Process
972	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
1372	yldige.exe
1688	~DFA50.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe
340	adzuxy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	~DFA50.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1372	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	28
PID 2032 wrote to memory of 1372	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	28
PID 2032 wrote to memory of 1372	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	28
PID 2032 wrote to memory of 1372	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	28
PID 1372 wrote to memory of 1688	1372	yldige.exe	29
PID 1372 wrote to memory of 1688	1372	yldige.exe	29
PID 1372 wrote to memory of 1688	1372	yldige.exe	29
PID 1372 wrote to memory of 1688	1372	yldige.exe	29
PID 2032 wrote to memory of 972	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	30
PID 2032 wrote to memory of 972	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	30
PID 2032 wrote to memory of 972	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	30
PID 2032 wrote to memory of 972	2032	dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe	30
PID 1688 wrote to memory of 340	1688	~DFA50.tmp	32
PID 1688 wrote to memory of 340	1688	~DFA50.tmp	32
PID 1688 wrote to memory of 340	1688	~DFA50.tmp	32
PID 1688 wrote to memory of 340	1688	~DFA50.tmp	32

C:\Users\Admin\AppData\Local\Temp\dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe
"C:\Users\Admin\AppData\Local\Temp\dcabcf28c3370f7d0f7fd4e703438eda8170d6ed109c7031ed20d429a5c45889.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\yldige.exe
  C:\Users\Admin\AppData\Local\Temp\yldige.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\adzuxy.exe
      "C:\Users\Admin\AppData\Local\Temp\adzuxy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
238823a9fab0e2ac77cf5c5ef4621de9

SHA1
2ddbc7cc4a324eab9131bfdb809b625c65bbe632

SHA256
53528b70be12a27b051b5317fbdf34db20d36fdd6b83a0b458e6f4d097110683

SHA512
a7eb1f851450cd25751478aea279b970831f5ca267efe16ef5f6dc092259950f8f288cd7d8a78f19bfa61a53c10463c0ba770b4463d288292aaa9b20902d4807

Download Submit
C:\Users\Admin\AppData\Local\Temp\adzuxy.exe

Filesize
385KB

MD5
2b32b96e71ab28206e953057697d5b91

SHA1
67d38fea455e912ad721c353b1c28b7931d1fd68

SHA256
ed9d78812b02c13e25715c9195f5f7bdc1620797dae46795f7d295206a6139d0

SHA512
b8ae6284d894d29d9a9d9f294d21e985b79397910abf1c1d9f20b1dfa5e00452fb6254346d62e99eefc488ff1ba8190e08cb40a846cc036de02ecbd30be495f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
af0889c8c70dbeefaf249a61cf7717e9

SHA1
64a40a2fb67c76af0b2db71df33e3dd0390bc13a

SHA256
32edef817aaf92a02c9dd7a9343fa7f1fd079fc73d0c632e5b9aefb60c1fbe0a

SHA512
c23d64fd4ebe15a798d79ed6f55c436e453895c3a2ca8c2136ebfdfa1c77c02c3018d3ef3c92c3397d5f6f1ebaa9d4c44b0825bb3e63f94dd244a5f0d4c0dbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yldige.exe

Filesize
658KB

MD5
f4e9d4afda831fce8e4eebb05906e2d0

SHA1
9005ee24f4b0a034870f1e24562215944c70199e

SHA256
1f8aa2d09bda06920be37c6966631169b43b71435d2f6b9b97cb9952577c70bc

SHA512
682ce19ca4bea7a7c19e7597a1c759113f0b917195035b8dfce337877aa03666207da928eec6c6466f77b6595587c25ebed1c5bc1126c52ef33c0eeeedcb330b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yldige.exe

Filesize
658KB

MD5
f4e9d4afda831fce8e4eebb05906e2d0

SHA1
9005ee24f4b0a034870f1e24562215944c70199e

SHA256
1f8aa2d09bda06920be37c6966631169b43b71435d2f6b9b97cb9952577c70bc

SHA512
682ce19ca4bea7a7c19e7597a1c759113f0b917195035b8dfce337877aa03666207da928eec6c6466f77b6595587c25ebed1c5bc1126c52ef33c0eeeedcb330b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
658KB

MD5
7aa5cbd4e4c171111d62f7289b5bad0d

SHA1
5d706d1bf394ba0bda47e0715365fa23f3624f06

SHA256
243aefe02b304bf47c88ab4ac7c100b277ad0d7fee18d17667c9e3ea826da257

SHA512
f23a302c4585d51131c4fa1da7025307f00c2c00eabc6f2285c08c82e791f55ff4e5535d57f4f4bd1ac85ccbc4a0fd00fce390ba678728e0cf79e1b6b11174a6

Download Submit
\Users\Admin\AppData\Local\Temp\adzuxy.exe

Filesize
385KB

MD5
2b32b96e71ab28206e953057697d5b91

SHA1
67d38fea455e912ad721c353b1c28b7931d1fd68

SHA256
ed9d78812b02c13e25715c9195f5f7bdc1620797dae46795f7d295206a6139d0

SHA512
b8ae6284d894d29d9a9d9f294d21e985b79397910abf1c1d9f20b1dfa5e00452fb6254346d62e99eefc488ff1ba8190e08cb40a846cc036de02ecbd30be495f3

Download Submit
\Users\Admin\AppData\Local\Temp\yldige.exe

Filesize
658KB

MD5
f4e9d4afda831fce8e4eebb05906e2d0

SHA1
9005ee24f4b0a034870f1e24562215944c70199e

SHA256
1f8aa2d09bda06920be37c6966631169b43b71435d2f6b9b97cb9952577c70bc

SHA512
682ce19ca4bea7a7c19e7597a1c759113f0b917195035b8dfce337877aa03666207da928eec6c6466f77b6595587c25ebed1c5bc1126c52ef33c0eeeedcb330b

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
658KB

MD5
7aa5cbd4e4c171111d62f7289b5bad0d

SHA1
5d706d1bf394ba0bda47e0715365fa23f3624f06

SHA256
243aefe02b304bf47c88ab4ac7c100b277ad0d7fee18d17667c9e3ea826da257

SHA512
f23a302c4585d51131c4fa1da7025307f00c2c00eabc6f2285c08c82e791f55ff4e5535d57f4f4bd1ac85ccbc4a0fd00fce390ba678728e0cf79e1b6b11174a6

Download Submit
memory/340-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1372-68-0x0000000002C60000-0x0000000002D3E000-memory.dmp

Filesize
888KB

Download
memory/1372-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1372-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1688-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1688-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1688-79-0x0000000003720000-0x000000000385E000-memory.dmp

Filesize
1.2MB

Download
memory/2032-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/2032-66-0x00000000006E0000-0x00000000007BE000-memory.dmp

Filesize
888KB

Download
memory/2032-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download