c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84

Analysis

max time kernel
152s
max time network
97s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe
Size

671KB
MD5

6d537427f6034e24ed5843b54110fb30
SHA1

78669f8ccd43394cca342f80be7f204febea52a9
SHA256

c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84
SHA512

dbcb64650b148ea45818be5947f3116ab5936c53dd80fb082939cbe4853d987514bf04f0f22e86a4f7791de97757a77f2a8bfefe9fe5602cded80984d71c1199
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2044	nedasep.exe
2024	~DFA69.tmp
440	afkuoop.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe
2044	nedasep.exe
2024	~DFA69.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe
440	afkuoop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	~DFA69.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 2044	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	28
PID 240 wrote to memory of 2044	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	28
PID 240 wrote to memory of 2044	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	28
PID 240 wrote to memory of 2044	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	28
PID 2044 wrote to memory of 2024	2044	nedasep.exe	31
PID 2044 wrote to memory of 2024	2044	nedasep.exe	31
PID 2044 wrote to memory of 2024	2044	nedasep.exe	31
PID 2044 wrote to memory of 2024	2044	nedasep.exe	31
PID 240 wrote to memory of 1980	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	30
PID 240 wrote to memory of 1980	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	30
PID 240 wrote to memory of 1980	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	30
PID 240 wrote to memory of 1980	240	c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe	30
PID 2024 wrote to memory of 440	2024	~DFA69.tmp	32
PID 2024 wrote to memory of 440	2024	~DFA69.tmp	32
PID 2024 wrote to memory of 440	2024	~DFA69.tmp	32
PID 2024 wrote to memory of 440	2024	~DFA69.tmp	32

C:\Users\Admin\AppData\Local\Temp\c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe
"C:\Users\Admin\AppData\Local\Temp\c98f14574b0e0462673d8f68b2036c61897f122ad0bab43876a6c7a937709c84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\nedasep.exe
  C:\Users\Admin\AppData\Local\Temp\nedasep.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\afkuoop.exe
      "C:\Users\Admin\AppData\Local\Temp\afkuoop.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
8026c8b31d429c9359ca5eb7efc59e42

SHA1
ae41b4321738f2ce318b5103386f1e33d513d462

SHA256
baafe23583b3738d66492675a3851ec55b4d5407f28670aa1d3ce29f7c15d1d5

SHA512
9e6a74cab0ea8ca853eba1647f6b92300b9f6c42f8ddc6c70b15afa56670245ca220ac000b58c49557e75d623c79759b86140f77cbc10756dccef099e658f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\afkuoop.exe

Filesize
392KB

MD5
679e0d7f129ff2f804b00357cf1777a7

SHA1
45d9bc233f576e53c9cb4c59c53eecdcb885436b

SHA256
080788e9fe3fb6384bc0a744aa0ec482d0463eb913c6cfbbf4c249ec41a6c92c

SHA512
600840dd71fa90479b1c39762065b3687e97d34bc96668407c39bb702f9c222a4b3f4bdf7078dfa496898d364464a4c4b25f483befb74e3fc0aced01a40a9f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
03455c9718128602f8185ac512cd6545

SHA1
cf671d96f2226e2a6becaa286ef51c28b28a38d3

SHA256
1f6497e77a80eadb03f54ccb05a0dc25da1e583defe9f9f95040eaeb0613f757

SHA512
570b7d69bf4c40ff35f8788205cd561129e0437b5529b4ba5668793d4e041c2bbe677b339036af93e68eadeea2b96a083cabed0d1f2f9002e97d9cc5cb62dab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nedasep.exe

Filesize
676KB

MD5
d26497f5246568566db0082bd74132f9

SHA1
33da8c55d2f4edd5bbafbef9829aaf6586d2de30

SHA256
f7a382e506bfd1af87d7a6e7cf5aa042ed3795b14bb163084f444512d80cfd18

SHA512
e65092e9ad53ad854e83f8667b7207da1083d760ee31a839c15c94826682fe6cc6225d539f7b6bcd12abe4e0154bdf6586bc6f51c3eced8f4c17ee47dd454567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nedasep.exe

Filesize
676KB

MD5
d26497f5246568566db0082bd74132f9

SHA1
33da8c55d2f4edd5bbafbef9829aaf6586d2de30

SHA256
f7a382e506bfd1af87d7a6e7cf5aa042ed3795b14bb163084f444512d80cfd18

SHA512
e65092e9ad53ad854e83f8667b7207da1083d760ee31a839c15c94826682fe6cc6225d539f7b6bcd12abe4e0154bdf6586bc6f51c3eced8f4c17ee47dd454567

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp

Filesize
682KB

MD5
1365f20d233e69d7d6d6a365770e1e1c

SHA1
b620e37814e94a922af03b8cb2ab186bc07e5532

SHA256
a8ee8dc31ecbfccb1d8046a01070f26506ecd543fb133adc18a6e633976058e6

SHA512
9bcea1de2fda11eb058a773eb2ea429ff028f1889ff073fe9c92f872c85da7021821d4f3854b1260986fa2c07cb72f9f4e393b47f32a5bdb18f801a2010907c5

Download Submit
\Users\Admin\AppData\Local\Temp\afkuoop.exe

Filesize
392KB

MD5
679e0d7f129ff2f804b00357cf1777a7

SHA1
45d9bc233f576e53c9cb4c59c53eecdcb885436b

SHA256
080788e9fe3fb6384bc0a744aa0ec482d0463eb913c6cfbbf4c249ec41a6c92c

SHA512
600840dd71fa90479b1c39762065b3687e97d34bc96668407c39bb702f9c222a4b3f4bdf7078dfa496898d364464a4c4b25f483befb74e3fc0aced01a40a9f70

Download Submit
\Users\Admin\AppData\Local\Temp\nedasep.exe

Filesize
676KB

MD5
d26497f5246568566db0082bd74132f9

SHA1
33da8c55d2f4edd5bbafbef9829aaf6586d2de30

SHA256
f7a382e506bfd1af87d7a6e7cf5aa042ed3795b14bb163084f444512d80cfd18

SHA512
e65092e9ad53ad854e83f8667b7207da1083d760ee31a839c15c94826682fe6cc6225d539f7b6bcd12abe4e0154bdf6586bc6f51c3eced8f4c17ee47dd454567

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA69.tmp

Filesize
682KB

MD5
1365f20d233e69d7d6d6a365770e1e1c

SHA1
b620e37814e94a922af03b8cb2ab186bc07e5532

SHA256
a8ee8dc31ecbfccb1d8046a01070f26506ecd543fb133adc18a6e633976058e6

SHA512
9bcea1de2fda11eb058a773eb2ea429ff028f1889ff073fe9c92f872c85da7021821d4f3854b1260986fa2c07cb72f9f4e393b47f32a5bdb18f801a2010907c5

Download Submit
memory/240-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/240-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/240-68-0x0000000001E50000-0x0000000001F2E000-memory.dmp

Filesize
888KB

Download
memory/240-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/440-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2024-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2024-78-0x0000000003540000-0x000000000367E000-memory.dmp

Filesize
1.2MB

Download
memory/2044-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-71-0x0000000002C50000-0x0000000002D2E000-memory.dmp

Filesize
888KB

Download