bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d

Analysis

max time kernel
152s
max time network
130s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
Size

633KB
MD5

793f06cbfa215701eaf0f13e84fbdf10
SHA1

81a18ec22a465ee53eae08c8868cf0c6e321097e
SHA256

bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d
SHA512

fa82b1ac15e9a92a019639c0b06a6185f8b232fb70744c358fbc8688ff5c8b4d0adf2d6df7e7d14cce8931e6574506772c6eca45f1ab4ba9e8bc3d0030a21bed
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
892	ibjekon.exe
1212	~DFA72.tmp
524	moseoie.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
892	ibjekon.exe
1212	~DFA72.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe
524	moseoie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	~DFA72.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 892	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	28
PID 912 wrote to memory of 892	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	28
PID 912 wrote to memory of 892	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	28
PID 912 wrote to memory of 892	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	28
PID 892 wrote to memory of 1212	892	ibjekon.exe	29
PID 892 wrote to memory of 1212	892	ibjekon.exe	29
PID 892 wrote to memory of 1212	892	ibjekon.exe	29
PID 892 wrote to memory of 1212	892	ibjekon.exe	29
PID 912 wrote to memory of 1980	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	30
PID 912 wrote to memory of 1980	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	30
PID 912 wrote to memory of 1980	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	30
PID 912 wrote to memory of 1980	912	bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe	30
PID 1212 wrote to memory of 524	1212	~DFA72.tmp	32
PID 1212 wrote to memory of 524	1212	~DFA72.tmp	32
PID 1212 wrote to memory of 524	1212	~DFA72.tmp	32
PID 1212 wrote to memory of 524	1212	~DFA72.tmp	32

C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe
"C:\Users\Admin\AppData\Local\Temp\bc155820215c6ce3654b982db51ad60077dd9ddd4bebc1f495e2c4416ea22c8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\ibjekon.exe
  C:\Users\Admin\AppData\Local\Temp\ibjekon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\moseoie.exe
      "C:\Users\Admin\AppData\Local\Temp\moseoie.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e715c2f46e592d5960b1638094c5854f

SHA1
fda4b0d334a5256ddbfe1efb6f6af5535982db84

SHA256
fef7d05136dc9c54d52f755eea3204f3c73083d55169b4ac613b4e65faffb8e0

SHA512
3edf0467dd67bfbf79695db57212f13c9d47070e0ba256097b8588ca96f6eaa70bae111035ad1c042b74436c1d7eec33abc5d7a9deff58056a97fbdb791c17c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
781d074551da3dec7b4bfa7eaca73fd0

SHA1
8351bee823ea8e3b388060b3101c677f8dd8d91a

SHA256
34b74134696a5318185f21a877a509acf79526c59d132e64a514f31602df1f25

SHA512
7aa2b1d80d6c1ab7f17bba2841a928878c563917a086cad8dbed95845201203350c4a4226fdb974162129e3805826f55ea1213ef3a7edaccd0668422934b1e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjekon.exe

Filesize
636KB

MD5
730c029b33be2af024a021570a2519ce

SHA1
8a9dccfd2e2fdddda757e1be9c8564125da968e5

SHA256
1d3ff0d7738741c7fb3969e80198b28d4f3e58d8e57ae565ef71727e5955de9d

SHA512
2823a1241934993c720fc79611e97c2594d93b64e22e9e0cd4cafea1b37082ad468ac8430c1f691d46218608e02ac850b95265dbfd0247c18a41cc7d5f4ac254

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjekon.exe

Filesize
636KB

MD5
730c029b33be2af024a021570a2519ce

SHA1
8a9dccfd2e2fdddda757e1be9c8564125da968e5

SHA256
1d3ff0d7738741c7fb3969e80198b28d4f3e58d8e57ae565ef71727e5955de9d

SHA512
2823a1241934993c720fc79611e97c2594d93b64e22e9e0cd4cafea1b37082ad468ac8430c1f691d46218608e02ac850b95265dbfd0247c18a41cc7d5f4ac254

Download Submit
C:\Users\Admin\AppData\Local\Temp\moseoie.exe

Filesize
405KB

MD5
6db3961af8be99c3bd937d2b3ae25e11

SHA1
b974072996574737682b79e10e866b3fb8d0d109

SHA256
6db3e3a7492871fc96cc1e76050321e273d266d2c6657c7718ec1ad4acf86a78

SHA512
1ba7dfab6d53c829ba18e4f0fb900f5e0105aed847195c879b13178c28073001c0b531df8fb467ee34bc3544e53f13f19ab9409eb4e91be5cb98e1079392a98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp

Filesize
641KB

MD5
c463e1f9c1f9f83c78cd0ff72f65db44

SHA1
d08faaaac691cefc6b5b70ae029511958da312ae

SHA256
3ea821d464fed0bd27f002abf888ae55b6869b710e7febaeb14226ed8eaa54d1

SHA512
930ce74c387138bfed16461df246593637f5ca61c65c83a925e38bcc97a217a815391f39048ed57683c9b4706035bd188090eb51af10365adc3acc523ed504e5

Download Submit
\Users\Admin\AppData\Local\Temp\ibjekon.exe

Filesize
636KB

MD5
730c029b33be2af024a021570a2519ce

SHA1
8a9dccfd2e2fdddda757e1be9c8564125da968e5

SHA256
1d3ff0d7738741c7fb3969e80198b28d4f3e58d8e57ae565ef71727e5955de9d

SHA512
2823a1241934993c720fc79611e97c2594d93b64e22e9e0cd4cafea1b37082ad468ac8430c1f691d46218608e02ac850b95265dbfd0247c18a41cc7d5f4ac254

Download Submit
\Users\Admin\AppData\Local\Temp\moseoie.exe

Filesize
405KB

MD5
6db3961af8be99c3bd937d2b3ae25e11

SHA1
b974072996574737682b79e10e866b3fb8d0d109

SHA256
6db3e3a7492871fc96cc1e76050321e273d266d2c6657c7718ec1ad4acf86a78

SHA512
1ba7dfab6d53c829ba18e4f0fb900f5e0105aed847195c879b13178c28073001c0b531df8fb467ee34bc3544e53f13f19ab9409eb4e91be5cb98e1079392a98a

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA72.tmp

Filesize
641KB

MD5
c463e1f9c1f9f83c78cd0ff72f65db44

SHA1
d08faaaac691cefc6b5b70ae029511958da312ae

SHA256
3ea821d464fed0bd27f002abf888ae55b6869b710e7febaeb14226ed8eaa54d1

SHA512
930ce74c387138bfed16461df246593637f5ca61c65c83a925e38bcc97a217a815391f39048ed57683c9b4706035bd188090eb51af10365adc3acc523ed504e5

Download Submit
memory/524-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/892-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/892-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/912-62-0x0000000001DB0000-0x0000000001E8E000-memory.dmp

Filesize
888KB

Download
memory/912-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1212-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1212-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1212-78-0x0000000003690000-0x00000000037CE000-memory.dmp

Filesize
1.2MB

Download