d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee

Analysis

max time kernel
152s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
Size

646KB
MD5

6f01d3b1f9ecbc44872cc4c3b7fbbb50
SHA1

7c037c90249c220909c2fff9f583d9a4912b1d2a
SHA256

d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee
SHA512

845662c0bdc2b4afedbba1fad71ad6f6eb3cd783269ff451cae2156f06fa7303c0bcb0040172ec1c1be93852238551c2b39ab4e98d7be31e09d6d23ecf200b25
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1892	qivyzif.exe
1472	~DFA70.tmp
1800	foybke.exe

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
1892	qivyzif.exe
1472	~DFA70.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe
1800	foybke.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	~DFA70.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1892	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	26
PID 544 wrote to memory of 1892	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	26
PID 544 wrote to memory of 1892	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	26
PID 544 wrote to memory of 1892	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	26
PID 1892 wrote to memory of 1472	1892	qivyzif.exe	27
PID 1892 wrote to memory of 1472	1892	qivyzif.exe	27
PID 1892 wrote to memory of 1472	1892	qivyzif.exe	27
PID 1892 wrote to memory of 1472	1892	qivyzif.exe	27
PID 544 wrote to memory of 1308	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	28
PID 544 wrote to memory of 1308	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	28
PID 544 wrote to memory of 1308	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	28
PID 544 wrote to memory of 1308	544	d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe	28
PID 1472 wrote to memory of 1800	1472	~DFA70.tmp	30
PID 1472 wrote to memory of 1800	1472	~DFA70.tmp	30
PID 1472 wrote to memory of 1800	1472	~DFA70.tmp	30
PID 1472 wrote to memory of 1800	1472	~DFA70.tmp	30

C:\Users\Admin\AppData\Local\Temp\d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe
"C:\Users\Admin\AppData\Local\Temp\d82f8e99f724f2b215ac98c0bd03b4d870f78393957e57cc3844bc170ddd46ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\qivyzif.exe
  C:\Users\Admin\AppData\Local\Temp\qivyzif.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\foybke.exe
      "C:\Users\Admin\AppData\Local\Temp\foybke.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e75e581cee72b16aebdf48cfec6419fe

SHA1
d3db67bc98097e40f30b3cf2e078efcb82173cab

SHA256
ee612b1dc5478acc76e35961c4bd820f1e8173180a89102ccb60f58cfeedb98b

SHA512
671704f4eb925c917a31f897680c0522eedc27fd8d9014aa78c152d3ad3e38db979fc6c42fe8a74563a32accf22bad4f2df5430feae3034b3760087442249d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\foybke.exe

Filesize
404KB

MD5
12ecb412d53879b2bf59e5f3b44b7feb

SHA1
6676f6ee1a7aed0a586d9e47935dc5b655618f09

SHA256
deb99c731b721c9e9e52a4d89ad0ff242b49380ba93c8ba3cdb29f73c417e247

SHA512
01b4f5d0e7321323816f93121348d956ba8854b60afd4ebc3260f79dc5a0485b514c5c41a5ec9387bd749963e1af52ed6eec9403ca72090549cdce66a442fcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
229a02038416e17d3fe1c08eae9f8d14

SHA1
f355e34f2497f505a157d0836a75fce87d4cd564

SHA256
c3e6c2242a84bf78348d18fa14b2cd27966deeba0dedb6b13f5a165df3896ff4

SHA512
83c2a5f33caa9baa058051e63a985ee2956579affad1012cddf99bdbde1b6430640946c0e98325d482dc56ca9d735d8c00877794340c03a0409918df2018d446

Download Submit
C:\Users\Admin\AppData\Local\Temp\qivyzif.exe

Filesize
646KB

MD5
faacefbe3c6a79225a2ab6248eb8276c

SHA1
b575a9c0dfa98edb5f68e4f5d4ac4223775bd564

SHA256
07f9ae7db57ffff6943fe3561c2a6e18d505f520cbe75ee403df518879e239c5

SHA512
58d4eed135f360b04fd9b449323c0fd052721c3c2c2c9591036b03ec3d088987e4d9cf662ea6c9508627d8cc0a8185b5b10df7ea9aa7c4984e1ca5a72d1a280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qivyzif.exe

Filesize
646KB

MD5
faacefbe3c6a79225a2ab6248eb8276c

SHA1
b575a9c0dfa98edb5f68e4f5d4ac4223775bd564

SHA256
07f9ae7db57ffff6943fe3561c2a6e18d505f520cbe75ee403df518879e239c5

SHA512
58d4eed135f360b04fd9b449323c0fd052721c3c2c2c9591036b03ec3d088987e4d9cf662ea6c9508627d8cc0a8185b5b10df7ea9aa7c4984e1ca5a72d1a280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp

Filesize
649KB

MD5
863766c1f5ce2b210070b297b73de3a9

SHA1
0dc6558b0fa04221eaeee2d6468bb3bdadf96af5

SHA256
03d8578bf426218045ace498804926f583b65c222222b023e174b92938911382

SHA512
4ccd7805e5b72734f90d259134280277f9b5c051c1a8c88761f520edb49df426db60eb79e971cdfc66723ae3ace239531cbbcd32d1dbe26f68637e5ad0353bac

Download Submit
\Users\Admin\AppData\Local\Temp\foybke.exe

Filesize
404KB

MD5
12ecb412d53879b2bf59e5f3b44b7feb

SHA1
6676f6ee1a7aed0a586d9e47935dc5b655618f09

SHA256
deb99c731b721c9e9e52a4d89ad0ff242b49380ba93c8ba3cdb29f73c417e247

SHA512
01b4f5d0e7321323816f93121348d956ba8854b60afd4ebc3260f79dc5a0485b514c5c41a5ec9387bd749963e1af52ed6eec9403ca72090549cdce66a442fcfe

Download Submit
\Users\Admin\AppData\Local\Temp\qivyzif.exe

Filesize
646KB

MD5
faacefbe3c6a79225a2ab6248eb8276c

SHA1
b575a9c0dfa98edb5f68e4f5d4ac4223775bd564

SHA256
07f9ae7db57ffff6943fe3561c2a6e18d505f520cbe75ee403df518879e239c5

SHA512
58d4eed135f360b04fd9b449323c0fd052721c3c2c2c9591036b03ec3d088987e4d9cf662ea6c9508627d8cc0a8185b5b10df7ea9aa7c4984e1ca5a72d1a280c

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA70.tmp

Filesize
649KB

MD5
863766c1f5ce2b210070b297b73de3a9

SHA1
0dc6558b0fa04221eaeee2d6468bb3bdadf96af5

SHA256
03d8578bf426218045ace498804926f583b65c222222b023e174b92938911382

SHA512
4ccd7805e5b72734f90d259134280277f9b5c051c1a8c88761f520edb49df426db60eb79e971cdfc66723ae3ace239531cbbcd32d1dbe26f68637e5ad0353bac

Download Submit
memory/544-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/544-61-0x0000000001FA0000-0x000000000207E000-memory.dmp

Filesize
888KB

Download
memory/544-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/544-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1472-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1472-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1472-77-0x00000000036D0000-0x000000000380E000-memory.dmp

Filesize
1.2MB

Download
memory/1800-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1892-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1892-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download