5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38

Analysis

max time kernel
151s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
Size

653KB
MD5

6f037d17c6329d9588780ec79f8e9340
SHA1

449dce3cb321e3a47b54265830b833e5625f37a1
SHA256

5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38
SHA512

f195bb8962bda57898f6801e9071d8659d2bad8af22642e8b946072f6442ab05eee8c08d88f99a013e9ca28d96c233f0ecbe0a5b30e7e653a1f35de511eccf2d
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1932	buovpet.exe
2032	~DFA4F.tmp
1732	mogyxot.exe

Deletes itself 1 IoCs

pid	Process
1696	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
1932	buovpet.exe
2032	~DFA4F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe
1732	mogyxot.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	~DFA4F.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1932	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	27
PID 864 wrote to memory of 1932	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	27
PID 864 wrote to memory of 1932	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	27
PID 864 wrote to memory of 1932	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	27
PID 1932 wrote to memory of 2032	1932	buovpet.exe	28
PID 1932 wrote to memory of 2032	1932	buovpet.exe	28
PID 1932 wrote to memory of 2032	1932	buovpet.exe	28
PID 1932 wrote to memory of 2032	1932	buovpet.exe	28
PID 864 wrote to memory of 1696	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	29
PID 864 wrote to memory of 1696	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	29
PID 864 wrote to memory of 1696	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	29
PID 864 wrote to memory of 1696	864	5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe	29
PID 2032 wrote to memory of 1732	2032	~DFA4F.tmp	31
PID 2032 wrote to memory of 1732	2032	~DFA4F.tmp	31
PID 2032 wrote to memory of 1732	2032	~DFA4F.tmp	31
PID 2032 wrote to memory of 1732	2032	~DFA4F.tmp	31

C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
"C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\buovpet.exe
  C:\Users\Admin\AppData\Local\Temp\buovpet.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\mogyxot.exe
      "C:\Users\Admin\AppData\Local\Temp\mogyxot.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
727a8a11bbc13b55c31696ee7f03c54e

SHA1
f316e869e5c89d5801294fc1b61d1380edf498f1

SHA256
ed86410b977699bedcae441373ed5a9a71740c624028fb9414299f4019fe212e

SHA512
cac20385509df1989397048c94f419b752ad594ceafbb8320ec12c64dc2655a39ec236d74a639ac6c97037c8381854e0c83b69692eb2b1f67dd38de27eee7512

Download Submit
C:\Users\Admin\AppData\Local\Temp\buovpet.exe

Filesize
662KB

MD5
5a76ce0de3b184d8fdeaf4b6d5e88b34

SHA1
7d31c46243cd00db3f8ba8b5423d330a95f70c9b

SHA256
c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101

SHA512
b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\buovpet.exe

Filesize
662KB

MD5
5a76ce0de3b184d8fdeaf4b6d5e88b34

SHA1
7d31c46243cd00db3f8ba8b5423d330a95f70c9b

SHA256
c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101

SHA512
b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
4fbf1651c3833996fd969361d6d3c203

SHA1
6be27179a4234c30564b4f08217f2eb0f07f62ab

SHA256
116f3600c742a0d3e00c0d71c724b492fa7edef54e526426598564be7129c766

SHA512
105716d41d6f8e67b2c0b937c2ea8ccca56fe7dc6227a9ea9d0e98cc6d442e74d9a473dd9ce351add9adb46f0c7c5975b6f50c466b77dd8d9123753562b1fc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogyxot.exe

Filesize
398KB

MD5
7d1f5f4e8e318735dc3538152433e955

SHA1
630d95e0cbe953d416e76e526ff2ebee011d6ac8

SHA256
21eb2f7998a79b618991e6e8420c365091de970dafcb6f5d5bc21057a0ec8ecb

SHA512
132177aaeabec92f276ee89bc1a664fe98f4fcf69441dc8b852c06683d8ed3c09823e1068cc4ca213fdea4a033511f25dde66a07db2e7df7d83bc443393c9366

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp

Filesize
671KB

MD5
695553221f1da5818710606b73bf410d

SHA1
99ef379aa6d4bff4fbcc5d0340fafa696c15b97c

SHA256
24d51d64b5b26472337708ff2f42fb1002f14cd5cfb1f1ab67d212ebf3a1cc11

SHA512
5d47d5c836217f546c8c042aa4a01707d5e4c88edbfc4f18662ba68d8dbee56616a5d11579fe890b8d04feab270650f489aedabf12290fb2643d64d0ecb1ef55

Download Submit
\Users\Admin\AppData\Local\Temp\buovpet.exe

Filesize
662KB

MD5
5a76ce0de3b184d8fdeaf4b6d5e88b34

SHA1
7d31c46243cd00db3f8ba8b5423d330a95f70c9b

SHA256
c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101

SHA512
b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf

Download Submit
\Users\Admin\AppData\Local\Temp\mogyxot.exe

Filesize
398KB

MD5
7d1f5f4e8e318735dc3538152433e955

SHA1
630d95e0cbe953d416e76e526ff2ebee011d6ac8

SHA256
21eb2f7998a79b618991e6e8420c365091de970dafcb6f5d5bc21057a0ec8ecb

SHA512
132177aaeabec92f276ee89bc1a664fe98f4fcf69441dc8b852c06683d8ed3c09823e1068cc4ca213fdea4a033511f25dde66a07db2e7df7d83bc443393c9366

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4F.tmp

Filesize
671KB

MD5
695553221f1da5818710606b73bf410d

SHA1
99ef379aa6d4bff4fbcc5d0340fafa696c15b97c

SHA256
24d51d64b5b26472337708ff2f42fb1002f14cd5cfb1f1ab67d212ebf3a1cc11

SHA512
5d47d5c836217f546c8c042aa4a01707d5e4c88edbfc4f18662ba68d8dbee56616a5d11579fe890b8d04feab270650f489aedabf12290fb2643d64d0ecb1ef55

Download Submit
memory/864-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/864-69-0x0000000001EF0000-0x0000000001FCE000-memory.dmp

Filesize
888KB

Download
memory/864-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1732-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1932-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1932-71-0x0000000002C40000-0x0000000002D1E000-memory.dmp

Filesize
888KB

Download
memory/1932-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-78-0x0000000003900000-0x0000000003A3E000-memory.dmp

Filesize
1.2MB

Download
memory/2032-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download