2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81

Analysis

max time kernel
151s
max time network
71s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe
Size

668KB
MD5

6ccdd91daff6e111a505e496477aee00
SHA1

58124e2a98d49715b94c0fd7e622e2975a8f9b74
SHA256

2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81
SHA512

589843d5d33c127896ad818860a12b84e1501ac2172b47a8f8674a8f90f2eb307a61b79a93e793e8acfac25e9a582a73e9f6bb24c70beb826f41c926be74f35c
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
952	yfjayy.exe
764	~DFA52.tmp
1584	eftivy.exe

Deletes itself 1 IoCs

pid	Process
700	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe
952	yfjayy.exe
764	~DFA52.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe
1584	eftivy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	~DFA52.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 952	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	27
PID 1168 wrote to memory of 952	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	27
PID 1168 wrote to memory of 952	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	27
PID 1168 wrote to memory of 952	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	27
PID 952 wrote to memory of 764	952	yfjayy.exe	28
PID 952 wrote to memory of 764	952	yfjayy.exe	28
PID 952 wrote to memory of 764	952	yfjayy.exe	28
PID 952 wrote to memory of 764	952	yfjayy.exe	28
PID 1168 wrote to memory of 700	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	29
PID 1168 wrote to memory of 700	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	29
PID 1168 wrote to memory of 700	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	29
PID 1168 wrote to memory of 700	1168	2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe	29
PID 764 wrote to memory of 1584	764	~DFA52.tmp	31
PID 764 wrote to memory of 1584	764	~DFA52.tmp	31
PID 764 wrote to memory of 1584	764	~DFA52.tmp	31
PID 764 wrote to memory of 1584	764	~DFA52.tmp	31

C:\Users\Admin\AppData\Local\Temp\2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe
"C:\Users\Admin\AppData\Local\Temp\2ee9e36c198d89d764cb3027242052c1743a008d372cedd0e8122fa9a5fc9b81.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\yfjayy.exe
  C:\Users\Admin\AppData\Local\Temp\yfjayy.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\eftivy.exe
      "C:\Users\Admin\AppData\Local\Temp\eftivy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
06e36e0fbda11a56e4a5611f30cb333d

SHA1
5bc97be4ceed3a658920b6f97d161f57573507df

SHA256
72183adefbdec266284ab0d797c8666d8bc0d204e0a2b6d11b3681a24f0015be

SHA512
882cf0df9b2e7f5b041e1f3e89182960160f99181c5f5d89e415811e1a57731de2e63fbee24e6f8deea664f4fc43c11acd9ea366f4b5bc07861ed7c065b4f3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eftivy.exe

Filesize
411KB

MD5
05e63df5585e65f37ee3e626dd27a769

SHA1
5d653349509afd81c9f544e2745073f65a1fa9f8

SHA256
6e0bfe1ba20bbf879098321a9731cb04ddafd1669d5e0c34f1e8897bbef278a7

SHA512
1fa51ceb11028b24993a825ced37656d2a9507efa327b72183d46b9cc61fe7c38cb30444f725c6d69145d520d4fa3fd70b4ce69f3ec25f6bec953f3cb0c41e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
1c0f84450d501998918a7921941c26e2

SHA1
b53c4f247ac1047be2392887aa907b0bdc3c3e7f

SHA256
a0955bae631d4108dfccc4989295fe9e0f7de437101ab332e97e05547562052c

SHA512
f0b4587236e56ebf6b9a33bd67b71f230aba01849175ffc476e17a56e3a4ad494e2f916854792c43979bbefc805052c8f9c35887a066da73b1d5992162c9a7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfjayy.exe

Filesize
670KB

MD5
2f3706313b0a6d2eaa6107c8afae7b97

SHA1
9690c521a8f50c50774df824a76e347a0d2777cf

SHA256
88a7b29dceb32e53e7827de98d40822c5c5bdddfb6589615f47ee544a367441b

SHA512
dc911783f0725c95654ab5f37fdf4be5840c174d5776ce8c34858e358571fe1c5f209e6935cab5bfb793019b564f3204d4e4dd6b578dd748a9762200bde5bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfjayy.exe

Filesize
670KB

MD5
2f3706313b0a6d2eaa6107c8afae7b97

SHA1
9690c521a8f50c50774df824a76e347a0d2777cf

SHA256
88a7b29dceb32e53e7827de98d40822c5c5bdddfb6589615f47ee544a367441b

SHA512
dc911783f0725c95654ab5f37fdf4be5840c174d5776ce8c34858e358571fe1c5f209e6935cab5bfb793019b564f3204d4e4dd6b578dd748a9762200bde5bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
672KB

MD5
691fbcd169f45570819e798d57a0f03a

SHA1
8c2d04bcc7587625eba7e5f90d4d393927b7d3b5

SHA256
818e865e7fcbfefbbab705f21c01fa96d9b09223ce466588b08a12652ad55667

SHA512
89c48e626c8d5e6ea08496ec91ad75e9b5500eeabcf45eed09dbba8363cd9df532dda71b21acaa0b058285a7d481ca0749ebc3e1dfe9d98eb8684f756f17a057

Download Submit
\Users\Admin\AppData\Local\Temp\eftivy.exe

Filesize
411KB

MD5
05e63df5585e65f37ee3e626dd27a769

SHA1
5d653349509afd81c9f544e2745073f65a1fa9f8

SHA256
6e0bfe1ba20bbf879098321a9731cb04ddafd1669d5e0c34f1e8897bbef278a7

SHA512
1fa51ceb11028b24993a825ced37656d2a9507efa327b72183d46b9cc61fe7c38cb30444f725c6d69145d520d4fa3fd70b4ce69f3ec25f6bec953f3cb0c41e63

Download Submit
\Users\Admin\AppData\Local\Temp\yfjayy.exe

Filesize
670KB

MD5
2f3706313b0a6d2eaa6107c8afae7b97

SHA1
9690c521a8f50c50774df824a76e347a0d2777cf

SHA256
88a7b29dceb32e53e7827de98d40822c5c5bdddfb6589615f47ee544a367441b

SHA512
dc911783f0725c95654ab5f37fdf4be5840c174d5776ce8c34858e358571fe1c5f209e6935cab5bfb793019b564f3204d4e4dd6b578dd748a9762200bde5bb6f

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
672KB

MD5
691fbcd169f45570819e798d57a0f03a

SHA1
8c2d04bcc7587625eba7e5f90d4d393927b7d3b5

SHA256
818e865e7fcbfefbbab705f21c01fa96d9b09223ce466588b08a12652ad55667

SHA512
89c48e626c8d5e6ea08496ec91ad75e9b5500eeabcf45eed09dbba8363cd9df532dda71b21acaa0b058285a7d481ca0749ebc3e1dfe9d98eb8684f756f17a057

Download Submit
memory/764-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/764-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/764-79-0x0000000003640000-0x000000000377E000-memory.dmp

Filesize
1.2MB

Download
memory/952-71-0x0000000002C90000-0x0000000002D6E000-memory.dmp

Filesize
888KB

Download
memory/952-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/952-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1168-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1168-68-0x0000000001EC0000-0x0000000001F9E000-memory.dmp

Filesize
888KB

Download
memory/1168-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1584-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download