5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db

Analysis

max time kernel
152s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
Size

651KB
MD5

626bc30f4b6d6c59694f9e494ccbd050
SHA1

841fdbc179c2b007bb6c5ed2199893f9a8a3a797
SHA256

5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db
SHA512

4e65d6e93ad7d9d65e3a7af597b9fcdab123c3b44f343e6a29d13ef1636893d4478378f002a061595dc29ba9ed9413059d9bc0878d1ff91ef38678526684992a
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1688	duxuriu.exe
1332	~DFA50.tmp
1768	ipsirau.exe

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
1688	duxuriu.exe
1332	~DFA50.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe
1768	ipsirau.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	~DFA50.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1688	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	28
PID 1912 wrote to memory of 1688	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	28
PID 1912 wrote to memory of 1688	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	28
PID 1912 wrote to memory of 1688	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	28
PID 1912 wrote to memory of 2020	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	29
PID 1912 wrote to memory of 2020	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	29
PID 1912 wrote to memory of 2020	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	29
PID 1912 wrote to memory of 2020	1912	5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe	29
PID 1688 wrote to memory of 1332	1688	duxuriu.exe	30
PID 1688 wrote to memory of 1332	1688	duxuriu.exe	30
PID 1688 wrote to memory of 1332	1688	duxuriu.exe	30
PID 1688 wrote to memory of 1332	1688	duxuriu.exe	30
PID 1332 wrote to memory of 1768	1332	~DFA50.tmp	32
PID 1332 wrote to memory of 1768	1332	~DFA50.tmp	32
PID 1332 wrote to memory of 1768	1332	~DFA50.tmp	32
PID 1332 wrote to memory of 1768	1332	~DFA50.tmp	32

C:\Users\Admin\AppData\Local\Temp\5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe
"C:\Users\Admin\AppData\Local\Temp\5cec5d186598da9b2f144f7ac8e4d4307203fed9ef3dc5740d7cfd88d93a51db.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\duxuriu.exe
  C:\Users\Admin\AppData\Local\Temp\duxuriu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\ipsirau.exe
      "C:\Users\Admin\AppData\Local\Temp\ipsirau.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7c33e2b7895de8145c857041edf1405e

SHA1
319784768c34645648abb5762596ab878048b5ba

SHA256
5ffd18b34fbcd3f4dc2892c655680f9de30ebc0fbb75dc1f5991db8533678f15

SHA512
2c761c7a33264acc20304629bb595a8ecbdbd55ed305fbad468c52709d0b1ada98af2c296ef4d2a350fe46ca87be5a351bddc7822f3647455fd73283ae4ffd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\duxuriu.exe

Filesize
661KB

MD5
3b4525c1fe5518b1591f68a755a9b932

SHA1
4906ff6459d6b64d12e752b8346fde52f1ea5992

SHA256
40e0ac30f1ad0aa1a68b3a0991f95d6cff1763fbb4e79a263baa6e23744e09fb

SHA512
46797073b70abc7d48eadd2258fc88bdbd80f8e94c7ddd5f414a8056bf7a5b2d6201bcf3265948d4d10403a0bf3ed32cde829378b3ca3d042b7bdf6fae0d23bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\duxuriu.exe

Filesize
661KB

MD5
3b4525c1fe5518b1591f68a755a9b932

SHA1
4906ff6459d6b64d12e752b8346fde52f1ea5992

SHA256
40e0ac30f1ad0aa1a68b3a0991f95d6cff1763fbb4e79a263baa6e23744e09fb

SHA512
46797073b70abc7d48eadd2258fc88bdbd80f8e94c7ddd5f414a8056bf7a5b2d6201bcf3265948d4d10403a0bf3ed32cde829378b3ca3d042b7bdf6fae0d23bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
163c5eb4d7bf4677947767880d526556

SHA1
2039c7768ad97d9f179373558e9e2995a2133027

SHA256
fdc0e6a5b0647cf7ad9bd6c06fcd48e6366384a8ca1fa8f8eed433e322ad0426

SHA512
3a3089817a233ed8a3a94769915f08dedccf3a42a087957d5701fb48afc092639b1161b745d5fb64c6365f9eb287a03e99e65fbbd41e7870cb33f210d6afdb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipsirau.exe

Filesize
379KB

MD5
7659c1349ad87ea1f8db36c65e333a1c

SHA1
2a8ed2fde6098e00d6f145aec24a06523f2636bd

SHA256
2169fdb5bddde3f91356798995a683ff2591e9fbce96e0bf9c6371f870f9c1cb

SHA512
48306bb07d38284c3587a284c7950c488fb2b8668095cc3fd9940859faf54a3d65ddb6d9563f7a7eb5dc746867b613be2593ef0cde676797ba73af7be9530ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
661KB

MD5
485e098740cef8311ccec4d94038139d

SHA1
caa966762da1d873b0af2ca024f8edb906c7ced2

SHA256
604087097d877fbbbd102be8e7bbad91f0ae20e0732e05a2b0f42d3e88c9fee6

SHA512
9041ec3fcdb76c038d41eb5bc237c3ca3d632f1ec3acc72df242b9bf6e714f0d4e7db45899e13a6eb5a724cf14803563be056beef3265f34e36f163589814deb

Download Submit
\Users\Admin\AppData\Local\Temp\duxuriu.exe

Filesize
661KB

MD5
3b4525c1fe5518b1591f68a755a9b932

SHA1
4906ff6459d6b64d12e752b8346fde52f1ea5992

SHA256
40e0ac30f1ad0aa1a68b3a0991f95d6cff1763fbb4e79a263baa6e23744e09fb

SHA512
46797073b70abc7d48eadd2258fc88bdbd80f8e94c7ddd5f414a8056bf7a5b2d6201bcf3265948d4d10403a0bf3ed32cde829378b3ca3d042b7bdf6fae0d23bb

Download Submit
\Users\Admin\AppData\Local\Temp\ipsirau.exe

Filesize
379KB

MD5
7659c1349ad87ea1f8db36c65e333a1c

SHA1
2a8ed2fde6098e00d6f145aec24a06523f2636bd

SHA256
2169fdb5bddde3f91356798995a683ff2591e9fbce96e0bf9c6371f870f9c1cb

SHA512
48306bb07d38284c3587a284c7950c488fb2b8668095cc3fd9940859faf54a3d65ddb6d9563f7a7eb5dc746867b613be2593ef0cde676797ba73af7be9530ecd

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
661KB

MD5
485e098740cef8311ccec4d94038139d

SHA1
caa966762da1d873b0af2ca024f8edb906c7ced2

SHA256
604087097d877fbbbd102be8e7bbad91f0ae20e0732e05a2b0f42d3e88c9fee6

SHA512
9041ec3fcdb76c038d41eb5bc237c3ca3d632f1ec3acc72df242b9bf6e714f0d4e7db45899e13a6eb5a724cf14803563be056beef3265f34e36f163589814deb

Download Submit
memory/1332-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1332-77-0x0000000003680000-0x00000000037BE000-memory.dmp

Filesize
1.2MB

Download
memory/1332-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1688-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1768-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1912-68-0x00000000006E0000-0x00000000007BE000-memory.dmp

Filesize
888KB

Download
memory/1912-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download