14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d

Analysis

max time kernel
150s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe
Size

670KB
MD5

76b48feac304e4e8ef32a2494779a490
SHA1

e9edf2b6e0e8e615028f651aa695edfc996f3674
SHA256

14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d
SHA512

54654b34fd35047ccb285203c66eaddde468230740af3c9be17e001fcdd8cffee4984539695781ea8d509b64d5e09f20d3d62218ce8923c3e31a4be951e94877
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1984	qyfopau.exe
1480	~DFA64.tmp
728	ibazdau.exe

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe
1984	qyfopau.exe
1480	~DFA64.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe
728	ibazdau.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	~DFA64.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1984	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	26
PID 1220 wrote to memory of 1984	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	26
PID 1220 wrote to memory of 1984	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	26
PID 1220 wrote to memory of 1984	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	26
PID 1984 wrote to memory of 1480	1984	qyfopau.exe	27
PID 1984 wrote to memory of 1480	1984	qyfopau.exe	27
PID 1984 wrote to memory of 1480	1984	qyfopau.exe	27
PID 1984 wrote to memory of 1480	1984	qyfopau.exe	27
PID 1220 wrote to memory of 1740	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	28
PID 1220 wrote to memory of 1740	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	28
PID 1220 wrote to memory of 1740	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	28
PID 1220 wrote to memory of 1740	1220	14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe	28
PID 1480 wrote to memory of 728	1480	~DFA64.tmp	30
PID 1480 wrote to memory of 728	1480	~DFA64.tmp	30
PID 1480 wrote to memory of 728	1480	~DFA64.tmp	30
PID 1480 wrote to memory of 728	1480	~DFA64.tmp	30

C:\Users\Admin\AppData\Local\Temp\14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe
"C:\Users\Admin\AppData\Local\Temp\14d766bb6a1bb76eb6790db6a27fd9b2d30e8d999c288d6ecd18643fc8b9bc5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\qyfopau.exe
  C:\Users\Admin\AppData\Local\Temp\qyfopau.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\ibazdau.exe
      "C:\Users\Admin\AppData\Local\Temp\ibazdau.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
860284365bffd748cc96d3b752f01d45

SHA1
8463bfcca16aae3a3d0f94765dbf24af56176408

SHA256
7ecdd585ced25c29ffb5aa145c0e598ac7d96dc0fcae15f5d648ef2f17a6dfb2

SHA512
034618fb2f6f124c8be85573dfd5aca19d4ca3ea84e2efde968fdbc8486838344511a48c4e22d4897449ca688d28a3fdf7273c5f105280d3c7d0985b87a17f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
86511c43dc01171ef4980285c500126f

SHA1
319b1a08c6461be97c6950c58fc5be9a1600aecb

SHA256
8a583df22bdc9b28124b454bb2c9d315888e506d884ae0fc7fd796433633ed73

SHA512
1f3fb0df5d2dc3eec4e44d699b3ba45de26474faa6062cf9fe1b9c8e2ec6aec5d0c16d9947238d446f2cd9a1e78132b6c27315c3ff8d9c1a020472edda364c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibazdau.exe

Filesize
409KB

MD5
85a96cad0668368d6a37c2024eb2fb0f

SHA1
dcf903313ba291ec93bdffc3d7ec0bf1f38b23bf

SHA256
81df61b24de2294a403d6e67ac5713eb0200639587affb07854bbcc24abb9913

SHA512
aff22f78789025b8efe8e9e7c6ccaa2beea3288064c3735e6090962257c816107f2ac5d25a93dfc1cb624e19c07bbd6a90ad020391956526d072f3a5ca45ece1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyfopau.exe

Filesize
670KB

MD5
7e215c20bfbbf74de4919d495bdeb4af

SHA1
76ee1472bd2c22a0125618b6fa9d4945820c4845

SHA256
a87e05aead94540ad7564ff76fd0f70c26acd2ce8f466483a758ce49e0befe68

SHA512
6ef740ccd1a527052eea22ab2bd4e33fea9db0e0c0adb05165962a6619e62df6978f5bfd55f5797ef1ef6a85aa4686799f9c44c96e7e07da602245d640a5cf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyfopau.exe

Filesize
670KB

MD5
7e215c20bfbbf74de4919d495bdeb4af

SHA1
76ee1472bd2c22a0125618b6fa9d4945820c4845

SHA256
a87e05aead94540ad7564ff76fd0f70c26acd2ce8f466483a758ce49e0befe68

SHA512
6ef740ccd1a527052eea22ab2bd4e33fea9db0e0c0adb05165962a6619e62df6978f5bfd55f5797ef1ef6a85aa4686799f9c44c96e7e07da602245d640a5cf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp

Filesize
671KB

MD5
ff2d67383a59dfda17cdbdea678f105c

SHA1
6cc9bbf4640f693d0d556f4f2e69a73edf0bdf50

SHA256
a03f72276de5fa2ee023847a0432faae38cb46ad54ab7abbc5b296a56850106b

SHA512
8fb74985d1da7bc96726b8ad07327f06c360834cf8db31ebb851bbc9c2cfddf95fff7ed5008ed2a3620ae1e69c6b8723bf4385c2ef5d909d48fd1786c817fae2

Download Submit
\Users\Admin\AppData\Local\Temp\ibazdau.exe

Filesize
409KB

MD5
85a96cad0668368d6a37c2024eb2fb0f

SHA1
dcf903313ba291ec93bdffc3d7ec0bf1f38b23bf

SHA256
81df61b24de2294a403d6e67ac5713eb0200639587affb07854bbcc24abb9913

SHA512
aff22f78789025b8efe8e9e7c6ccaa2beea3288064c3735e6090962257c816107f2ac5d25a93dfc1cb624e19c07bbd6a90ad020391956526d072f3a5ca45ece1

Download Submit
\Users\Admin\AppData\Local\Temp\qyfopau.exe

Filesize
670KB

MD5
7e215c20bfbbf74de4919d495bdeb4af

SHA1
76ee1472bd2c22a0125618b6fa9d4945820c4845

SHA256
a87e05aead94540ad7564ff76fd0f70c26acd2ce8f466483a758ce49e0befe68

SHA512
6ef740ccd1a527052eea22ab2bd4e33fea9db0e0c0adb05165962a6619e62df6978f5bfd55f5797ef1ef6a85aa4686799f9c44c96e7e07da602245d640a5cf35

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA64.tmp

Filesize
671KB

MD5
ff2d67383a59dfda17cdbdea678f105c

SHA1
6cc9bbf4640f693d0d556f4f2e69a73edf0bdf50

SHA256
a03f72276de5fa2ee023847a0432faae38cb46ad54ab7abbc5b296a56850106b

SHA512
8fb74985d1da7bc96726b8ad07327f06c360834cf8db31ebb851bbc9c2cfddf95fff7ed5008ed2a3620ae1e69c6b8723bf4385c2ef5d909d48fd1786c817fae2

Download Submit
memory/728-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1220-66-0x0000000001FC0000-0x000000000209E000-memory.dmp

Filesize
888KB

Download
memory/1220-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1220-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1220-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1480-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1480-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1480-78-0x0000000003630000-0x000000000376E000-memory.dmp

Filesize
1.2MB

Download
memory/1984-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1984-68-0x0000000002C10000-0x0000000002CEE000-memory.dmp

Filesize
888KB

Download
memory/1984-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download