f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
Size

649KB
MD5

65dea0fc97d6416507dbc9721c86a470
SHA1

e86f2e4c0a833815e1aab94449077fb6fa3ee00e
SHA256

f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787
SHA512

692df3f336c72744038bf7460f8a526b972fe5d9a522396aa7959f3027999df6fc01460c13ef9680262a8d29b740c1ffe4809a8a80519d719a950acf673dad73
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
884	agnacil.exe
1412	~DFA6A.tmp
1860	yjkoopq.exe

Deletes itself 1 IoCs

pid	Process
1380	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
884	agnacil.exe
1412	~DFA6A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe
1860	yjkoopq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	~DFA6A.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 884	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	28
PID 1852 wrote to memory of 884	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	28
PID 1852 wrote to memory of 884	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	28
PID 1852 wrote to memory of 884	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	28
PID 884 wrote to memory of 1412	884	agnacil.exe	29
PID 884 wrote to memory of 1412	884	agnacil.exe	29
PID 884 wrote to memory of 1412	884	agnacil.exe	29
PID 884 wrote to memory of 1412	884	agnacil.exe	29
PID 1852 wrote to memory of 1380	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	30
PID 1852 wrote to memory of 1380	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	30
PID 1852 wrote to memory of 1380	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	30
PID 1852 wrote to memory of 1380	1852	f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe	30
PID 1412 wrote to memory of 1860	1412	~DFA6A.tmp	32
PID 1412 wrote to memory of 1860	1412	~DFA6A.tmp	32
PID 1412 wrote to memory of 1860	1412	~DFA6A.tmp	32
PID 1412 wrote to memory of 1860	1412	~DFA6A.tmp	32

C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
"C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\agnacil.exe
  C:\Users\Admin\AppData\Local\Temp\agnacil.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\~DFA6A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA6A.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\yjkoopq.exe
      "C:\Users\Admin\AppData\Local\Temp\yjkoopq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
14ad64e70a4e83a26ee7753f49662923

SHA1
01dc7abbb05ab6416fdff4db72d6a4056310a40e

SHA256
e5e2feba7c153d7a6dc0f678b63829b0fe1ae5a38bb71f80fc95c55acaa8ca4b

SHA512
78f1acfb202fba0109d48c083a50771960f0b74053edd066ac249c990ac50dc9a331236b8579ef923a6ec30c00af41320791f5ae19a4d44e30ed1c7627ed6528

Download Submit
C:\Users\Admin\AppData\Local\Temp\agnacil.exe

Filesize
654KB

MD5
87f51dda503d174e8c91ca00d20fd6e8

SHA1
8c36159094e3f05a3c2808936edc5c65fb731ec9

SHA256
01ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae

SHA512
5ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\agnacil.exe

Filesize
654KB

MD5
87f51dda503d174e8c91ca00d20fd6e8

SHA1
8c36159094e3f05a3c2808936edc5c65fb731ec9

SHA256
01ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae

SHA512
5ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
bb58f783db097c117c0dfc3ab873ca00

SHA1
7463fb1762eda75d45e1e1400517318d7c243eac

SHA256
b28cf60ef74bc8712e3f9f794998eb34dfefb6bad8a9c0662194158a2e9c9390

SHA512
f0ce874bde3f4ba8306e4ecde6db40d8b441066b0ff79604c04842cb08d7ec69b2ca5a1c3634b8cf32a5ee9785fb9c528c0972b7146a79c7f27a23c697be750e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjkoopq.exe

Filesize
398KB

MD5
943ec8ced29422f0af0b05de61542d07

SHA1
d34bec439b326796ec527471371b15062350ea50

SHA256
7c1a2ff8b4d31b4df9e59848a9cb08556004c3dd78cfba87500f3c7770c5851f

SHA512
ca0db43e592f0ae7da963b8ad462096c2a9ee1274b640c4be35fb39aa94112d8160bf6250499e87d148bcf938daf9880065e3f66adf6be5ca570853b057f57d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA6A.tmp

Filesize
661KB

MD5
fe02ae1cd05466a03c7deccf475439d9

SHA1
d7592f1f17e726c96a54ded584c7a31ca993e88f

SHA256
7d9893cdd66c6eb901e3305f8a93c2838ca5326debaf80c19385a9f4b6ead597

SHA512
f3c9d391ac1349b9698713e3857278d3634ef05df7a21962065c77e66f36fba74bb29d3463c45d4ed5123f6dda132ad7b67df74aeaaedbf0fd15341ff449163c

Download Submit
\Users\Admin\AppData\Local\Temp\agnacil.exe

Filesize
654KB

MD5
87f51dda503d174e8c91ca00d20fd6e8

SHA1
8c36159094e3f05a3c2808936edc5c65fb731ec9

SHA256
01ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae

SHA512
5ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce

Download Submit
\Users\Admin\AppData\Local\Temp\yjkoopq.exe

Filesize
398KB

MD5
943ec8ced29422f0af0b05de61542d07

SHA1
d34bec439b326796ec527471371b15062350ea50

SHA256
7c1a2ff8b4d31b4df9e59848a9cb08556004c3dd78cfba87500f3c7770c5851f

SHA512
ca0db43e592f0ae7da963b8ad462096c2a9ee1274b640c4be35fb39aa94112d8160bf6250499e87d148bcf938daf9880065e3f66adf6be5ca570853b057f57d8

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA6A.tmp

Filesize
661KB

MD5
fe02ae1cd05466a03c7deccf475439d9

SHA1
d7592f1f17e726c96a54ded584c7a31ca993e88f

SHA256
7d9893cdd66c6eb901e3305f8a93c2838ca5326debaf80c19385a9f4b6ead597

SHA512
f3c9d391ac1349b9698713e3857278d3634ef05df7a21962065c77e66f36fba74bb29d3463c45d4ed5123f6dda132ad7b67df74aeaaedbf0fd15341ff449163c

Download Submit
memory/884-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/884-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1412-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1412-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1412-78-0x00000000036C0000-0x00000000037FE000-memory.dmp

Filesize
1.2MB

Download
memory/1852-69-0x0000000001EC0000-0x0000000001F9E000-memory.dmp

Filesize
888KB

Download
memory/1852-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1852-59-0x0000000001EC0000-0x0000000001F9E000-memory.dmp

Filesize
888KB

Download
memory/1852-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1860-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download