f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc

Analysis

max time kernel
152s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
Size

668KB
MD5

439959a920e04f2db59b7fe2dd3ef430
SHA1

561e0630ea09a5f45f46d8abc4f422ad2dcd6fa7
SHA256

f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc
SHA512

45cf7794c24864c749592f9060b1c4539eb8051747e2042dc2532ad9fc23c71a88a382cae90599a01e73dbeb8630b02508f1355bb5b8fb474b30cf4dd8d7f13d
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1684	egdynew.exe
1600	~DFA5E.tmp
1488	sewubaw.exe

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
1684	egdynew.exe
1600	~DFA5E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe
1488	sewubaw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	~DFA5E.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1684	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	27
PID 1228 wrote to memory of 1684	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	27
PID 1228 wrote to memory of 1684	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	27
PID 1228 wrote to memory of 1684	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	27
PID 1684 wrote to memory of 1600	1684	egdynew.exe	28
PID 1684 wrote to memory of 1600	1684	egdynew.exe	28
PID 1684 wrote to memory of 1600	1684	egdynew.exe	28
PID 1684 wrote to memory of 1600	1684	egdynew.exe	28
PID 1228 wrote to memory of 1388	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	29
PID 1228 wrote to memory of 1388	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	29
PID 1228 wrote to memory of 1388	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	29
PID 1228 wrote to memory of 1388	1228	f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe	29
PID 1600 wrote to memory of 1488	1600	~DFA5E.tmp	31
PID 1600 wrote to memory of 1488	1600	~DFA5E.tmp	31
PID 1600 wrote to memory of 1488	1600	~DFA5E.tmp	31
PID 1600 wrote to memory of 1488	1600	~DFA5E.tmp	31

C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
"C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\egdynew.exe
  C:\Users\Admin\AppData\Local\Temp\egdynew.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\sewubaw.exe
      "C:\Users\Admin\AppData\Local\Temp\sewubaw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
ba746eebdf87399d423652b62980562e

SHA1
c4243f204c08a721f67f0aaa10d64db3f453a31a

SHA256
7e10bc53e0e95051dab23667763f74b386654d915f23753861092b8383c13572

SHA512
8a1b3e682b6000e0f31905fea4bb145efe81e358e432629c37ce8db088a5c096631ada4625fd3fdde75db491d737c3c1ca0a3b6edd058f2e11a5e7a1ebcb6a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\egdynew.exe

Filesize
669KB

MD5
6556196c311d6ad7ca6a21bea4db3f2b

SHA1
49719d27b8011bd95206bd3ff01282b00a768b84

SHA256
006550ead8131d5f85b02c5db180d9db6c511f783dfe469f47248edb83c82bef

SHA512
dbcd5f8a4f32b734f9639b6e4ef1aeb53790c042cbe436283de5bb5d63fe156a736c063e2186b9e3ca041d2c3874f29c6751b073173bf16dbdd4650a8a480907

Download Submit
C:\Users\Admin\AppData\Local\Temp\egdynew.exe

Filesize
669KB

MD5
6556196c311d6ad7ca6a21bea4db3f2b

SHA1
49719d27b8011bd95206bd3ff01282b00a768b84

SHA256
006550ead8131d5f85b02c5db180d9db6c511f783dfe469f47248edb83c82bef

SHA512
dbcd5f8a4f32b734f9639b6e4ef1aeb53790c042cbe436283de5bb5d63fe156a736c063e2186b9e3ca041d2c3874f29c6751b073173bf16dbdd4650a8a480907

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6cd4784c5ddb6ffec03e38ab2fbbba94

SHA1
fb14099d5c20dc3e14b9d8b07949214ce2edde4e

SHA256
7e3ec5a12377c69c6a3fa101427bbcfaf4c7818099a98c05b549bdd5cc1bd7ba

SHA512
694a19271a9653838d8565510dc186c8d44124f4389fd4991b4919050c3f3fd7ad3e7f6cee2f2e076560fdce84bd6b48a9add2dcb02d156779b641bab2a22083

Download Submit
C:\Users\Admin\AppData\Local\Temp\sewubaw.exe

Filesize
381KB

MD5
77c891e9cb51e2c5329721fd9f2ec90f

SHA1
52f8a4b83efe1929969f8868987f973d9ea330c2

SHA256
2f4d4c917d5b2497e90c3c2e1012d6ac8fca19f7cc6784a1560f0d1c34c33600

SHA512
ffa6f5a39c087ee5c9576d25de3e41fac565d0d4a7072d565f090b4f07f3db9b28b067e5d34e7e7fe348aab10609757e9d3dcec8a3ef445cd336bb8e4a793b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp

Filesize
674KB

MD5
584d990328f6cdfb2fee8b43c449fa1d

SHA1
fd8b416c3c2bc72a7f47a4d30b24c4356cd45f28

SHA256
49931e92e3852e65b1654fb52fd0566192e92a3d8feb13cf8f4e2e590e233a94

SHA512
870fe1cf92233e54ea731b0d0f1c7e34ccbb2a61a600216afc4b0db5e513d125d7b9d1035563c26186413d8ba4f24c13715d28ed2593c106835376efe6ea29b5

Download Submit
\Users\Admin\AppData\Local\Temp\egdynew.exe

Filesize
669KB

MD5
6556196c311d6ad7ca6a21bea4db3f2b

SHA1
49719d27b8011bd95206bd3ff01282b00a768b84

SHA256
006550ead8131d5f85b02c5db180d9db6c511f783dfe469f47248edb83c82bef

SHA512
dbcd5f8a4f32b734f9639b6e4ef1aeb53790c042cbe436283de5bb5d63fe156a736c063e2186b9e3ca041d2c3874f29c6751b073173bf16dbdd4650a8a480907

Download Submit
\Users\Admin\AppData\Local\Temp\sewubaw.exe

Filesize
381KB

MD5
77c891e9cb51e2c5329721fd9f2ec90f

SHA1
52f8a4b83efe1929969f8868987f973d9ea330c2

SHA256
2f4d4c917d5b2497e90c3c2e1012d6ac8fca19f7cc6784a1560f0d1c34c33600

SHA512
ffa6f5a39c087ee5c9576d25de3e41fac565d0d4a7072d565f090b4f07f3db9b28b067e5d34e7e7fe348aab10609757e9d3dcec8a3ef445cd336bb8e4a793b25

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5E.tmp

Filesize
674KB

MD5
584d990328f6cdfb2fee8b43c449fa1d

SHA1
fd8b416c3c2bc72a7f47a4d30b24c4356cd45f28

SHA256
49931e92e3852e65b1654fb52fd0566192e92a3d8feb13cf8f4e2e590e233a94

SHA512
870fe1cf92233e54ea731b0d0f1c7e34ccbb2a61a600216afc4b0db5e513d125d7b9d1035563c26186413d8ba4f24c13715d28ed2593c106835376efe6ea29b5

Download Submit
memory/1228-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1228-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1228-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1488-77-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1600-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1600-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1600-76-0x0000000003460000-0x000000000359E000-memory.dmp

Filesize
1.2MB

Download
memory/1684-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1684-61-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download