cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1

Analysis

max time kernel
171s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
Size

625KB
MD5

77249eebf06217f1974fadc23b733be0
SHA1

bb3f6b169bba129f0e2e3ceb29b539ad75c76bba
SHA256

cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1
SHA512

df8bb8c382dacf3f129fbdf0637388ab1f795edb89c6dde2b5aa154a149f54349e611b93a1cb0ea9f34762f8549e0bbb11e3f722c95f243aa23512c61cf950c8
SSDEEP

12288:W5hAPjPHr/wiPkEr89Eogw4VoH4cjnoteFlLD1AVs3Gb5oVjcD:WgLr4w9beH4enIeLFAVwGV4S

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1432	imdijaf.exe
2004	~DFA66.tmp
1208	tyfebew.exe

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
1432	imdijaf.exe
1432	imdijaf.exe
2004	~DFA66.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe
1208	tyfebew.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	~DFA66.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1432	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	28
PID 864 wrote to memory of 1432	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	28
PID 864 wrote to memory of 1432	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	28
PID 864 wrote to memory of 1432	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	28
PID 1432 wrote to memory of 2004	1432	imdijaf.exe	29
PID 1432 wrote to memory of 2004	1432	imdijaf.exe	29
PID 1432 wrote to memory of 2004	1432	imdijaf.exe	29
PID 1432 wrote to memory of 2004	1432	imdijaf.exe	29
PID 864 wrote to memory of 2000	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	30
PID 864 wrote to memory of 2000	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	30
PID 864 wrote to memory of 2000	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	30
PID 864 wrote to memory of 2000	864	cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe	30
PID 2004 wrote to memory of 1208	2004	~DFA66.tmp	32
PID 2004 wrote to memory of 1208	2004	~DFA66.tmp	32
PID 2004 wrote to memory of 1208	2004	~DFA66.tmp	32
PID 2004 wrote to memory of 1208	2004	~DFA66.tmp	32

C:\Users\Admin\AppData\Local\Temp\cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe
"C:\Users\Admin\AppData\Local\Temp\cd7579303312b07e7e35838cda30b2ced53633b295609e894da2b8148874b8e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\imdijaf.exe
  C:\Users\Admin\AppData\Local\Temp\imdijaf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\tyfebew.exe
      "C:\Users\Admin\AppData\Local\Temp\tyfebew.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c80c69cb54d7c3af2299c8588604088a

SHA1
3d312a8c8e33aaddb907647bf5d21f71c60b83ff

SHA256
664c0437a20a96a51967ecd7d7781142837f56825882213776d00c7c907c206f

SHA512
1fce5a2bcbdff7eb5eccd644cd59a03ce80431fc2ec364697af5a96a1beb5a82c7a09afe64936f586f79fff47a70da28ac0f9ab9c654556fdfd80d8c0013d6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
2eb1838122cd7fe2c645eee657a6a5b8

SHA1
104c99ca3389904ba7695df9ca0d7eab83028e6d

SHA256
e505b8f0f7d2e217b811111076b2681f7009b45718861a8da6a4c4b7686eaf9c

SHA512
b2a388323d5c9b0a5876ef2b75d36e7c8ded34e6d16fb0ac6ef87b1cda16b3c303ddb74da2468f74923cadeff0f9d4ab3ee9e0b89e88810c143c826d5165509a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imdijaf.exe

Filesize
627KB

MD5
4c757baa9fa499bd6753c867151ac6f5

SHA1
77cb613d00f2dd2f241180c201a5d66e6b6ea3e1

SHA256
52b409570d2e3ab080994a6f8d71d1a873212c1d94a1572495e2fc193c82df7b

SHA512
a00ac7ab9ec173547fb7be89d6c84c25f3953d0b5d70fde4fe1b815b2643684f93061898bfe0e158878775e5ae4fc4f6384d2f01afb48024a9524430c8d0eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\imdijaf.exe

Filesize
627KB

MD5
4c757baa9fa499bd6753c867151ac6f5

SHA1
77cb613d00f2dd2f241180c201a5d66e6b6ea3e1

SHA256
52b409570d2e3ab080994a6f8d71d1a873212c1d94a1572495e2fc193c82df7b

SHA512
a00ac7ab9ec173547fb7be89d6c84c25f3953d0b5d70fde4fe1b815b2643684f93061898bfe0e158878775e5ae4fc4f6384d2f01afb48024a9524430c8d0eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyfebew.exe

Filesize
450KB

MD5
7c65ff62221a456392ecba3da4e15bc4

SHA1
8a0df1207cbd1a9c4fa51ba60db5e74b2bb68c45

SHA256
7897c6f28bddbdc8d0b7027ecf76f8e2fcbf88c9ff30c83a68588d444a1afc5a

SHA512
f45f3498c819481498296936019ceff0ad1eceee833078fc2194f350a60cf54ef81ced58c17e386bf7f3f4aa93886fd2be83cdb001b977954b7021e5c85da146

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp

Filesize
629KB

MD5
c09dba066a51a2cbeda82dade4a1b354

SHA1
796b559ee8a07668fac9d48e2ee72ada63bc52af

SHA256
48b54486aa0c523d47ef5fadd704d3ed778ae158f6fef58e98e417f2bd73d628

SHA512
e12f1982913c059b6e80a2bccf9e02b6bb0b47a3cc24a7527063fe2b3c3215f9b1ecea68e8c99128f2153cd06dc2f5e5d4e687b3c72aa583b8bfc44e7bc23276

Download Submit
\Users\Admin\AppData\Local\Temp\imdijaf.exe

Filesize
627KB

MD5
4c757baa9fa499bd6753c867151ac6f5

SHA1
77cb613d00f2dd2f241180c201a5d66e6b6ea3e1

SHA256
52b409570d2e3ab080994a6f8d71d1a873212c1d94a1572495e2fc193c82df7b

SHA512
a00ac7ab9ec173547fb7be89d6c84c25f3953d0b5d70fde4fe1b815b2643684f93061898bfe0e158878775e5ae4fc4f6384d2f01afb48024a9524430c8d0eec7

Download Submit
\Users\Admin\AppData\Local\Temp\imdijaf.exe

Filesize
627KB

MD5
4c757baa9fa499bd6753c867151ac6f5

SHA1
77cb613d00f2dd2f241180c201a5d66e6b6ea3e1

SHA256
52b409570d2e3ab080994a6f8d71d1a873212c1d94a1572495e2fc193c82df7b

SHA512
a00ac7ab9ec173547fb7be89d6c84c25f3953d0b5d70fde4fe1b815b2643684f93061898bfe0e158878775e5ae4fc4f6384d2f01afb48024a9524430c8d0eec7

Download Submit
\Users\Admin\AppData\Local\Temp\tyfebew.exe

Filesize
450KB

MD5
7c65ff62221a456392ecba3da4e15bc4

SHA1
8a0df1207cbd1a9c4fa51ba60db5e74b2bb68c45

SHA256
7897c6f28bddbdc8d0b7027ecf76f8e2fcbf88c9ff30c83a68588d444a1afc5a

SHA512
f45f3498c819481498296936019ceff0ad1eceee833078fc2194f350a60cf54ef81ced58c17e386bf7f3f4aa93886fd2be83cdb001b977954b7021e5c85da146

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA66.tmp

Filesize
629KB

MD5
c09dba066a51a2cbeda82dade4a1b354

SHA1
796b559ee8a07668fac9d48e2ee72ada63bc52af

SHA256
48b54486aa0c523d47ef5fadd704d3ed778ae158f6fef58e98e417f2bd73d628

SHA512
e12f1982913c059b6e80a2bccf9e02b6bb0b47a3cc24a7527063fe2b3c3215f9b1ecea68e8c99128f2153cd06dc2f5e5d4e687b3c72aa583b8bfc44e7bc23276

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA66.tmp

Filesize
629KB

MD5
c09dba066a51a2cbeda82dade4a1b354

SHA1
796b559ee8a07668fac9d48e2ee72ada63bc52af

SHA256
48b54486aa0c523d47ef5fadd704d3ed778ae158f6fef58e98e417f2bd73d628

SHA512
e12f1982913c059b6e80a2bccf9e02b6bb0b47a3cc24a7527063fe2b3c3215f9b1ecea68e8c99128f2153cd06dc2f5e5d4e687b3c72aa583b8bfc44e7bc23276

Download Submit
memory/864-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-69-0x0000000000A70000-0x0000000000B41000-memory.dmp

Filesize
836KB

Download
memory/864-70-0x0000000000350000-0x0000000000421000-memory.dmp

Filesize
836KB

Download
memory/864-55-0x0000000000A70000-0x0000000000B41000-memory.dmp

Filesize
836KB

Download
memory/1208-80-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1432-72-0x0000000000920000-0x00000000009F1000-memory.dmp

Filesize
836KB

Download
memory/1432-73-0x0000000002060000-0x0000000002131000-memory.dmp

Filesize
836KB

Download
memory/1432-75-0x0000000000920000-0x00000000009F1000-memory.dmp

Filesize
836KB

Download
memory/2004-79-0x0000000003AA0000-0x0000000003BF9000-memory.dmp

Filesize
1.3MB

Download
memory/2004-74-0x00000000010C0000-0x0000000001191000-memory.dmp

Filesize
836KB

Download
memory/2004-82-0x00000000010C0000-0x0000000001191000-memory.dmp

Filesize
836KB

Download