22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a

Analysis

max time kernel
151s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe
Size

657KB
MD5

67a8dbb937ee81d5c17ed503ee225db0
SHA1

055a8adc8a8c54b839fa45e69a339eb928eb369f
SHA256

22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a
SHA512

707f7402c23b91b7b18ece1b39f0ec488a9ed2147c0eb68ffe5e818b44e2d46113612450be8121be0251311234a42a9e5e32e15543fe619214a0412807971ddf
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1388	lynubiu.exe
1316	~DFA57.tmp
1720	ypsyevu.exe

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe
1388	lynubiu.exe
1316	~DFA57.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe
1720	ypsyevu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	~DFA57.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1388	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	27
PID 872 wrote to memory of 1388	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	27
PID 872 wrote to memory of 1388	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	27
PID 872 wrote to memory of 1388	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	27
PID 872 wrote to memory of 1940	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	28
PID 872 wrote to memory of 1940	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	28
PID 872 wrote to memory of 1940	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	28
PID 872 wrote to memory of 1940	872	22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe	28
PID 1388 wrote to memory of 1316	1388	lynubiu.exe	29
PID 1388 wrote to memory of 1316	1388	lynubiu.exe	29
PID 1388 wrote to memory of 1316	1388	lynubiu.exe	29
PID 1388 wrote to memory of 1316	1388	lynubiu.exe	29
PID 1316 wrote to memory of 1720	1316	~DFA57.tmp	31
PID 1316 wrote to memory of 1720	1316	~DFA57.tmp	31
PID 1316 wrote to memory of 1720	1316	~DFA57.tmp	31
PID 1316 wrote to memory of 1720	1316	~DFA57.tmp	31

C:\Users\Admin\AppData\Local\Temp\22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe
"C:\Users\Admin\AppData\Local\Temp\22bd6dd93ec1be763f2428902ab0f42b198d15d804e679fc99f1d65f3846129a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\lynubiu.exe
  C:\Users\Admin\AppData\Local\Temp\lynubiu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\ypsyevu.exe
      "C:\Users\Admin\AppData\Local\Temp\ypsyevu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
efba6cd1d1ea175cbbc55f35e1507f34

SHA1
0f4223fba842d061278af81ba1d91c871eba85e0

SHA256
a35904e9b3749e678d3657baff56df2174ad3c71e295e789e985ca553bb7ab3c

SHA512
084a35d2ffb04b705feb4641aa4e8802928c5bfa85ec1b96379a33351bd96c65f9616ab931d975327586acd2e3a47c6696647a1daf86d46866c1946029acbb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
9beefe06d7d4b9c637342a90f1be901b

SHA1
483e727b8d6dbcbff5672d144315e290a862cf83

SHA256
d9dc959e264284d5d7e9c753c8a75ed817980f80d82aff86510fdc57dfcfdf67

SHA512
f59c5de7fafbb82165c08f29518070d4532c8f09c57ce9dc3092558ffc82859912d82e5f60b2da6ba0f4d76c7cb67ef74626c9a9702abacfa53ae842f7b524d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynubiu.exe

Filesize
665KB

MD5
3705a2b07986ad21be7dd75511397311

SHA1
a82144f6bd6c5bffefb8d1af338b90c0399c5eec

SHA256
6b35950b336634d41a09c1e748f0ebdb067004e34b20d18b2b954a98b3807839

SHA512
278edae9013a64bb40b5a6f02a28c808b6cc5db1fd8e05d03e498eabc5db24a7ba80335fb9e9a305aed00911d746ad005227ad64692a9cae8f0923a0c989f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynubiu.exe

Filesize
665KB

MD5
3705a2b07986ad21be7dd75511397311

SHA1
a82144f6bd6c5bffefb8d1af338b90c0399c5eec

SHA256
6b35950b336634d41a09c1e748f0ebdb067004e34b20d18b2b954a98b3807839

SHA512
278edae9013a64bb40b5a6f02a28c808b6cc5db1fd8e05d03e498eabc5db24a7ba80335fb9e9a305aed00911d746ad005227ad64692a9cae8f0923a0c989f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypsyevu.exe

Filesize
390KB

MD5
75c441925a898addc28a4c534c9aafb3

SHA1
fc51929298ab55a2db3d22d899377cf0f3b3ccf1

SHA256
dc6a842d5c6fcd96017447957b9f26ed4d9141ca541a68b1350b3291ecd4eab7

SHA512
006b951fba947a53c7fe59faa0abb3a25e26b6c241ed2252fd7dce92c42d8b0e48a6c161d9ef515e9cf269047ede209e496bfc665037f80713853f2334dbfc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
672KB

MD5
be2160029e2d60a9c77c4a6f565e6e4b

SHA1
e01e7914bab789f8434822453bfc89bf74abe025

SHA256
b19844a38157604848863bacc27af9a0ad1e79be58d3f7bca9757904d659690a

SHA512
3bb9cb4f85ef848c0dd212be65eb8fd10b1cbe4e64e6ed6a80174b8ad1378b271553f8ec65dfdabf9e75954d4e479c567d0d10740c857339ab77f649e5841456

Download Submit
\Users\Admin\AppData\Local\Temp\lynubiu.exe

Filesize
665KB

MD5
3705a2b07986ad21be7dd75511397311

SHA1
a82144f6bd6c5bffefb8d1af338b90c0399c5eec

SHA256
6b35950b336634d41a09c1e748f0ebdb067004e34b20d18b2b954a98b3807839

SHA512
278edae9013a64bb40b5a6f02a28c808b6cc5db1fd8e05d03e498eabc5db24a7ba80335fb9e9a305aed00911d746ad005227ad64692a9cae8f0923a0c989f341

Download Submit
\Users\Admin\AppData\Local\Temp\ypsyevu.exe

Filesize
390KB

MD5
75c441925a898addc28a4c534c9aafb3

SHA1
fc51929298ab55a2db3d22d899377cf0f3b3ccf1

SHA256
dc6a842d5c6fcd96017447957b9f26ed4d9141ca541a68b1350b3291ecd4eab7

SHA512
006b951fba947a53c7fe59faa0abb3a25e26b6c241ed2252fd7dce92c42d8b0e48a6c161d9ef515e9cf269047ede209e496bfc665037f80713853f2334dbfc86

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
672KB

MD5
be2160029e2d60a9c77c4a6f565e6e4b

SHA1
e01e7914bab789f8434822453bfc89bf74abe025

SHA256
b19844a38157604848863bacc27af9a0ad1e79be58d3f7bca9757904d659690a

SHA512
3bb9cb4f85ef848c0dd212be65eb8fd10b1cbe4e64e6ed6a80174b8ad1378b271553f8ec65dfdabf9e75954d4e479c567d0d10740c857339ab77f649e5841456

Download Submit
memory/872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/872-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/872-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1316-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1316-78-0x00000000036F0000-0x000000000382E000-memory.dmp

Filesize
1.2MB

Download
memory/1316-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1388-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1388-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1388-70-0x0000000002B60000-0x0000000002C3E000-memory.dmp

Filesize
888KB

Download
memory/1720-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download