d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
Size

648KB
MD5

68b4673152111ecc0526533c9f19ad90
SHA1

358a23e378e6656b85dff24f438cfb06d0b16b3d
SHA256

d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8
SHA512

b5370d06498ff62e2853db37b0596d07eb29407c11d9d2e3d78b3771ee15644a5cfe758f5c144556d64c6101d9bfcaa5053c4288a7d4dd036e05fc9969ad6135
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1392	jykoii.exe
1800	~DFA5D.tmp
2016	gigoni.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
1392	jykoii.exe
1800	~DFA5D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe
2016	gigoni.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	~DFA5D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1392	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	27
PID 1148 wrote to memory of 1392	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	27
PID 1148 wrote to memory of 1392	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	27
PID 1148 wrote to memory of 1392	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	27
PID 1392 wrote to memory of 1800	1392	jykoii.exe	28
PID 1392 wrote to memory of 1800	1392	jykoii.exe	28
PID 1392 wrote to memory of 1800	1392	jykoii.exe	28
PID 1392 wrote to memory of 1800	1392	jykoii.exe	28
PID 1148 wrote to memory of 2036	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	29
PID 1148 wrote to memory of 2036	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	29
PID 1148 wrote to memory of 2036	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	29
PID 1148 wrote to memory of 2036	1148	d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe	29
PID 1800 wrote to memory of 2016	1800	~DFA5D.tmp	31
PID 1800 wrote to memory of 2016	1800	~DFA5D.tmp	31
PID 1800 wrote to memory of 2016	1800	~DFA5D.tmp	31
PID 1800 wrote to memory of 2016	1800	~DFA5D.tmp	31

C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
"C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\jykoii.exe
  C:\Users\Admin\AppData\Local\Temp\jykoii.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\gigoni.exe
      "C:\Users\Admin\AppData\Local\Temp\gigoni.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
5a6535f8b76af9ded5802819517d4066

SHA1
0b94d1b1a256b9d7441e8556049a6e08f0620985

SHA256
a59bcfa795a37f6bbce5209217cf2244d7a30109fa9ba8659c0f4d350b489830

SHA512
5809ca37d4bb1a20f3ce184221620ff5565555bc6b0a3f11567e22dc3a015afee4632f92b8d4a4f5725289b0eb72cf3ffa299b050dc569c6b22583fc905af9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\gigoni.exe

Filesize
416KB

MD5
751988305b94af298abd7f7a2e4e14a3

SHA1
d162d342d411854a9055e9750637643416b5cd1a

SHA256
2fdeab15c232dee5ca4cd8d1404d05b48e7c80040f5a803984b034257a6592c0

SHA512
be0f3406cbe3de14867ffce83dc94ae83a9c4de49f9a71a4c3cafcb65c2da673ab00f6266f2defda017bdfcc3c9c840afb1ab2f6633a258d68d64230c64fa6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
362a5ec539188434577fca4f0b4ec1e7

SHA1
edda68d6077017cc4d4c03acc6a02d0cd8f13fed

SHA256
80280a498d3cb805a89d13377b35617e660c4805309aa88b0c1f085281fab740

SHA512
f7495bccce0e6ddb2d4ceb47ac34e83ed91bfa9242d6339c1c76741f9264f6a056421dc373c8c1975bb09c7362e8dfb87b457258edb328bdfce001f187eda1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykoii.exe

Filesize
649KB

MD5
d03ba5b40e60661c661a764d14eaf84d

SHA1
305f11a1f49a9df87c2c4afe48e4a23933c6ee6f

SHA256
970965d1deda30f4ecb06828e6e25eaf6a2f58ac1fffb7f9cb3536a1e7c2948c

SHA512
2e9b1c73ef4a2773a1dfe46c5236c8f19086d8eef3f3ebb4a6712df4ecd5067b76ea608b0b384018118fe829a4c59a7f6ffae81bb5df4841264135c3f4cfe90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykoii.exe

Filesize
649KB

MD5
d03ba5b40e60661c661a764d14eaf84d

SHA1
305f11a1f49a9df87c2c4afe48e4a23933c6ee6f

SHA256
970965d1deda30f4ecb06828e6e25eaf6a2f58ac1fffb7f9cb3536a1e7c2948c

SHA512
2e9b1c73ef4a2773a1dfe46c5236c8f19086d8eef3f3ebb4a6712df4ecd5067b76ea608b0b384018118fe829a4c59a7f6ffae81bb5df4841264135c3f4cfe90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
653KB

MD5
d8d0d684c1bf2d6dd7c641ee0b59ba40

SHA1
d7bd622db58c38e3061af9fa3e16601745bd29b0

SHA256
aeda6fc4f5daa003864f83819e57f8d110114654a1babfc7783f55e8fe94cb1f

SHA512
21b38784600a021336d92b36fd7a1af238c976fb5f73d9fe1876a88b7bd1fe1c00cae5416c499d6a9b6eaf28fee52194570d9d997bdac50e2e57cd83a7ee9dd3

Download Submit
\Users\Admin\AppData\Local\Temp\gigoni.exe

Filesize
416KB

MD5
751988305b94af298abd7f7a2e4e14a3

SHA1
d162d342d411854a9055e9750637643416b5cd1a

SHA256
2fdeab15c232dee5ca4cd8d1404d05b48e7c80040f5a803984b034257a6592c0

SHA512
be0f3406cbe3de14867ffce83dc94ae83a9c4de49f9a71a4c3cafcb65c2da673ab00f6266f2defda017bdfcc3c9c840afb1ab2f6633a258d68d64230c64fa6e8

Download Submit
\Users\Admin\AppData\Local\Temp\jykoii.exe

Filesize
649KB

MD5
d03ba5b40e60661c661a764d14eaf84d

SHA1
305f11a1f49a9df87c2c4afe48e4a23933c6ee6f

SHA256
970965d1deda30f4ecb06828e6e25eaf6a2f58ac1fffb7f9cb3536a1e7c2948c

SHA512
2e9b1c73ef4a2773a1dfe46c5236c8f19086d8eef3f3ebb4a6712df4ecd5067b76ea608b0b384018118fe829a4c59a7f6ffae81bb5df4841264135c3f4cfe90f

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
653KB

MD5
d8d0d684c1bf2d6dd7c641ee0b59ba40

SHA1
d7bd622db58c38e3061af9fa3e16601745bd29b0

SHA256
aeda6fc4f5daa003864f83819e57f8d110114654a1babfc7783f55e8fe94cb1f

SHA512
21b38784600a021336d92b36fd7a1af238c976fb5f73d9fe1876a88b7bd1fe1c00cae5416c499d6a9b6eaf28fee52194570d9d997bdac50e2e57cd83a7ee9dd3

Download Submit
memory/1148-61-0x0000000001F30000-0x000000000200E000-memory.dmp

Filesize
888KB

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1148-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1392-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1392-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1800-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1800-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1800-77-0x0000000003700000-0x000000000383E000-memory.dmp

Filesize
1.2MB

Download
memory/2016-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download