845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86

Analysis

max time kernel
151s
max time network
75s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
Size

639KB
MD5

685a6b8a04d3e87f4eddda5da93d18c0
SHA1

fe8569ae5f5cef12e275731d86db519a6b9583c7
SHA256

845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86
SHA512

3814ba0d754ce25136c6a0e79c4f386436b71ee4a48e751a11958d9997d81cf8878887d4bc6ceb531f9b60491cbfc520c789ac31d22331b11610793ac6b30ea5
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
912	vitanue.exe
1584	~DFA4D.tmp
1428	teyjcoe.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
912	vitanue.exe
1584	~DFA4D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe
1428	teyjcoe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	~DFA4D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 912	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	27
PID 948 wrote to memory of 912	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	27
PID 948 wrote to memory of 912	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	27
PID 948 wrote to memory of 912	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	27
PID 948 wrote to memory of 2036	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	28
PID 948 wrote to memory of 2036	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	28
PID 948 wrote to memory of 2036	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	28
PID 948 wrote to memory of 2036	948	845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe	28
PID 912 wrote to memory of 1584	912	vitanue.exe	30
PID 912 wrote to memory of 1584	912	vitanue.exe	30
PID 912 wrote to memory of 1584	912	vitanue.exe	30
PID 912 wrote to memory of 1584	912	vitanue.exe	30
PID 1584 wrote to memory of 1428	1584	~DFA4D.tmp	31
PID 1584 wrote to memory of 1428	1584	~DFA4D.tmp	31
PID 1584 wrote to memory of 1428	1584	~DFA4D.tmp	31
PID 1584 wrote to memory of 1428	1584	~DFA4D.tmp	31

C:\Users\Admin\AppData\Local\Temp\845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe
"C:\Users\Admin\AppData\Local\Temp\845b0b044c8f00520f3eb28849a61f88dfe88550101925744d31e0bf7c241c86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\vitanue.exe
  C:\Users\Admin\AppData\Local\Temp\vitanue.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\teyjcoe.exe
      "C:\Users\Admin\AppData\Local\Temp\teyjcoe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c12564052b8e2a7a6bb05c7ae08784e1

SHA1
c94a0eccd819e73003959cf20033fcd277b8ab58

SHA256
e626df762ef8399b25ddd2ec59b49c26ef5bc78a9d89c6bc2ef7c0c1371d20a1

SHA512
ec1e320e6c332da430f5bb0e0a84d94ab3b5e7a32b06e0216cc98283a56f79f899a97df4cf88967a927068a22ab9b72bd0a3503ba7c782d867b68cbd21e7594d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
7386012b7f5e63c0f6be19ae45988af9

SHA1
c0c27e141417f1dfda9c08b4b516e97cf27ef2ce

SHA256
06aa3847c9c901966b9136ae6d26527594c412739fd5bb4f706e0d7a24941d8a

SHA512
b7ec02463eeb9e56883e1ceb655c8c4b9bfd8315a7ce8f489cf42ace16a6671db9f19769e57ea7927cbe1320e776581016f5b77d0d1194bbbd38fad06a2aa616

Download Submit
C:\Users\Admin\AppData\Local\Temp\teyjcoe.exe

Filesize
401KB

MD5
6f4eedee3e4eb30399a765828c7ffcf4

SHA1
d31d2ac7ca260c80829d0ccd1bc103e9521b7cfb

SHA256
7bb73b3c9169237a7c27fbd1634ee1950b120a30f2f1af912d1b6110f3f03b8c

SHA512
2de94df3a37ae1752f1379f3d0217c23de32c78b7ecbc5ca6d6c3fb0f3ebdf3067b562c7603a2803628e85e73897e19207d31dd9c783daf53c0731fe72886722

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitanue.exe

Filesize
646KB

MD5
df3f4450c0917fa273782bc6acf47afd

SHA1
104c41dc3fe4ff3fa71d2efd725c7f2c1f6deb46

SHA256
893b2a62de18377d2d22bdaddf350347466e45dec61184e973ab15795f0b7916

SHA512
1defcec536b52bb9996b71d9e7739f15f572d8325e66bb6dbc4d784047f3693abfd7f40d3028527ad4063113239c3750227a6841c8d1a7cb70605efbc3462b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitanue.exe

Filesize
646KB

MD5
df3f4450c0917fa273782bc6acf47afd

SHA1
104c41dc3fe4ff3fa71d2efd725c7f2c1f6deb46

SHA256
893b2a62de18377d2d22bdaddf350347466e45dec61184e973ab15795f0b7916

SHA512
1defcec536b52bb9996b71d9e7739f15f572d8325e66bb6dbc4d784047f3693abfd7f40d3028527ad4063113239c3750227a6841c8d1a7cb70605efbc3462b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
654KB

MD5
318c9e0945c86ceb97bab3b094f3e088

SHA1
71a114fdcef70705d20e357a40d165ce5b1840cb

SHA256
0ed11c12c19f9635c71f75cdfa6f97672b69f91e250d8c5e868b41f30604a80f

SHA512
02601966a8617d686b69d0eb212ed560604f6bd0cd6886fa6f4f39af63d4a53377f23f94a65a8c0beab3dc8f5fcb090066c4e1f13e8eae9d6c5274d76f7736ec

Download Submit
\Users\Admin\AppData\Local\Temp\teyjcoe.exe

Filesize
401KB

MD5
6f4eedee3e4eb30399a765828c7ffcf4

SHA1
d31d2ac7ca260c80829d0ccd1bc103e9521b7cfb

SHA256
7bb73b3c9169237a7c27fbd1634ee1950b120a30f2f1af912d1b6110f3f03b8c

SHA512
2de94df3a37ae1752f1379f3d0217c23de32c78b7ecbc5ca6d6c3fb0f3ebdf3067b562c7603a2803628e85e73897e19207d31dd9c783daf53c0731fe72886722

Download Submit
\Users\Admin\AppData\Local\Temp\vitanue.exe

Filesize
646KB

MD5
df3f4450c0917fa273782bc6acf47afd

SHA1
104c41dc3fe4ff3fa71d2efd725c7f2c1f6deb46

SHA256
893b2a62de18377d2d22bdaddf350347466e45dec61184e973ab15795f0b7916

SHA512
1defcec536b52bb9996b71d9e7739f15f572d8325e66bb6dbc4d784047f3693abfd7f40d3028527ad4063113239c3750227a6841c8d1a7cb70605efbc3462b88

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
654KB

MD5
318c9e0945c86ceb97bab3b094f3e088

SHA1
71a114fdcef70705d20e357a40d165ce5b1840cb

SHA256
0ed11c12c19f9635c71f75cdfa6f97672b69f91e250d8c5e868b41f30604a80f

SHA512
02601966a8617d686b69d0eb212ed560604f6bd0cd6886fa6f4f39af63d4a53377f23f94a65a8c0beab3dc8f5fcb090066c4e1f13e8eae9d6c5274d76f7736ec

Download Submit
memory/912-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/948-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/948-66-0x0000000001E30000-0x0000000001F0E000-memory.dmp

Filesize
888KB

Download
memory/948-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/948-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1428-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1584-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1584-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1584-78-0x00000000035E0000-0x000000000371E000-memory.dmp

Filesize
1.2MB

Download