5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d

Analysis

max time kernel
186s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
Size

644KB
MD5

7c064fbdcccd9098b460c10e40bbc850
SHA1

47796191a94fe4479f7282a37a3a89d4bcaeb8fc
SHA256

5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d
SHA512

1cba343e56113e8c6ba6af64b2540b3ca935d5c91a374f01e4ba8192f7cd8d5e847b46eb48d5a47f2d4c4c1a300c0c215b84d41d507c5f41cfbda0925e6bf135
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
960	syvigav.exe
1520	~DFA71.tmp
1660	xetubov.exe

Deletes itself 1 IoCs

pid	Process
608	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
960	syvigav.exe
1520	~DFA71.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe
1660	xetubov.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	~DFA71.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 960	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	31
PID 1108 wrote to memory of 960	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	31
PID 1108 wrote to memory of 960	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	31
PID 1108 wrote to memory of 960	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	31
PID 960 wrote to memory of 1520	960	syvigav.exe	30
PID 960 wrote to memory of 1520	960	syvigav.exe	30
PID 960 wrote to memory of 1520	960	syvigav.exe	30
PID 960 wrote to memory of 1520	960	syvigav.exe	30
PID 1108 wrote to memory of 608	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	29
PID 1108 wrote to memory of 608	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	29
PID 1108 wrote to memory of 608	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	29
PID 1108 wrote to memory of 608	1108	5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe	29
PID 1520 wrote to memory of 1660	1520	~DFA71.tmp	32
PID 1520 wrote to memory of 1660	1520	~DFA71.tmp	32
PID 1520 wrote to memory of 1660	1520	~DFA71.tmp	32
PID 1520 wrote to memory of 1660	1520	~DFA71.tmp	32

C:\Users\Admin\AppData\Local\Temp\5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe
"C:\Users\Admin\AppData\Local\Temp\5203c13c418bbcaa9109a4c5d12f5361f21420d20ab9ba2015c409d368ae449d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:608
- C:\Users\Admin\AppData\Local\Temp\syvigav.exe
  C:\Users\Admin\AppData\Local\Temp\syvigav.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960

C:\Users\Admin\AppData\Local\Temp\~DFA71.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA71.tmp OK
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\xetubov.exe
  "C:\Users\Admin\AppData\Local\Temp\xetubov.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
edd547a2ed5f513c58af52a628e37da6

SHA1
ef2055da6bd59cb7a9dc3e089a28bc560978faa5

SHA256
9f96914c53240fa481cd7ee23461c593b2ec99404956c49f856719b7cd049634

SHA512
db8c859db0228ea24b5f3124497599e8656a79834dcaf5177f270e301e6a47060e65560191a5f931f7df5f6a60d9741478ece190cdc47486118af1eb1746c283

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
025706664e544aba504d364b1fe0e84d

SHA1
753bc0da86b8acbac7c81fc4cc7c348312fd47a1

SHA256
663a32f9394af02c1f25c544a7334488bea5062422c2d451ba2e15a0fe5107a0

SHA512
feb1f1791de5fc8b277cbf89210de5fe90051c6636f9483654735f8c59a7e330bc115bff65c2f280b864ab29f00024a84bb26475782e0e8d8d925c240ca24e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\syvigav.exe

Filesize
648KB

MD5
e3458da2b10cc464f545dd0bdc4be991

SHA1
746d59a3b2f34698a75057630f1a4b79231c9e0b

SHA256
c79277c250789103321e4e3569ae20e8178e1170496c70fa757a2143be134694

SHA512
a80c7d72eec0d0083b2bfa30ec960502f7891a00a9e04692a41ce5d2308dc2d1be23414f9d09531f37a7c8ac4a1e3ed94eca7240d7c9f5e780786889bede96c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\syvigav.exe

Filesize
648KB

MD5
e3458da2b10cc464f545dd0bdc4be991

SHA1
746d59a3b2f34698a75057630f1a4b79231c9e0b

SHA256
c79277c250789103321e4e3569ae20e8178e1170496c70fa757a2143be134694

SHA512
a80c7d72eec0d0083b2bfa30ec960502f7891a00a9e04692a41ce5d2308dc2d1be23414f9d09531f37a7c8ac4a1e3ed94eca7240d7c9f5e780786889bede96c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xetubov.exe

Filesize
382KB

MD5
1a145125b37dcb416c8040cd4c4b5d1f

SHA1
687b4770617513ddee8d8fbe926f27daa9be07d4

SHA256
ccdca0089f39658a44dd99316700e71393e1169ed67af4fdbbc6e66661a4b635

SHA512
f7a9a81280f5c4b2d5fe7e83cbe826016a349ce11372dd2422ae87dbb62e7a3a5d2fc157723e88a983b88182af1a5974008c98a057f8ac857bc3909935fca622

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA71.tmp

Filesize
651KB

MD5
56956806362b7c4c4a306571c0d8e149

SHA1
060208447c1bc2cdaaaf73852ac067d5ace120d1

SHA256
90b5b2f5178ecb555bf5c434df520418c781a0e6a8af8575e8c1683fb4956e7d

SHA512
2e1f7a6fe39a5cbe35426c3a1d18db826e64ca8b4ed781e794058752ad56e1428a19725a1115a8c684f40e52ba2966c37942d6716fa9a2cfc227994a4b0fcc57

Download Submit
\Users\Admin\AppData\Local\Temp\syvigav.exe

Filesize
648KB

MD5
e3458da2b10cc464f545dd0bdc4be991

SHA1
746d59a3b2f34698a75057630f1a4b79231c9e0b

SHA256
c79277c250789103321e4e3569ae20e8178e1170496c70fa757a2143be134694

SHA512
a80c7d72eec0d0083b2bfa30ec960502f7891a00a9e04692a41ce5d2308dc2d1be23414f9d09531f37a7c8ac4a1e3ed94eca7240d7c9f5e780786889bede96c8

Download Submit
\Users\Admin\AppData\Local\Temp\xetubov.exe

Filesize
382KB

MD5
1a145125b37dcb416c8040cd4c4b5d1f

SHA1
687b4770617513ddee8d8fbe926f27daa9be07d4

SHA256
ccdca0089f39658a44dd99316700e71393e1169ed67af4fdbbc6e66661a4b635

SHA512
f7a9a81280f5c4b2d5fe7e83cbe826016a349ce11372dd2422ae87dbb62e7a3a5d2fc157723e88a983b88182af1a5974008c98a057f8ac857bc3909935fca622

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA71.tmp

Filesize
651KB

MD5
56956806362b7c4c4a306571c0d8e149

SHA1
060208447c1bc2cdaaaf73852ac067d5ace120d1

SHA256
90b5b2f5178ecb555bf5c434df520418c781a0e6a8af8575e8c1683fb4956e7d

SHA512
2e1f7a6fe39a5cbe35426c3a1d18db826e64ca8b4ed781e794058752ad56e1428a19725a1115a8c684f40e52ba2966c37942d6716fa9a2cfc227994a4b0fcc57

Download Submit
memory/960-68-0x0000000002B60000-0x0000000002C3E000-memory.dmp

Filesize
888KB

Download
memory/960-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/960-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1108-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1108-66-0x0000000001F30000-0x000000000200E000-memory.dmp

Filesize
888KB

Download
memory/1108-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-79-0x0000000003460000-0x000000000359E000-memory.dmp

Filesize
1.2MB

Download
memory/1660-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download