50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e

Analysis

max time kernel
150s
max time network
72s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe
Size

622KB
MD5

640e7206d621dcb2b325071f788ac4f0
SHA1

b1afd18037da17480fdcf9e2ee65c65c7724b6c8
SHA256

50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e
SHA512

22b298053bf3fc9247330dde2ccf8a82199a2337baebb8c3f79dd3eb2da9ccc673f747124f29f363e8d3c4b0271bff919726313e91f96aad9a8737a2892e7dfe
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1864	mohofoc.exe
1660	~DFA50.tmp
1692	zacycoc.exe

Deletes itself 1 IoCs

pid	Process
1664	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe
1864	mohofoc.exe
1660	~DFA50.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe
1692	zacycoc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	~DFA50.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1864	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	27
PID 1264 wrote to memory of 1864	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	27
PID 1264 wrote to memory of 1864	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	27
PID 1264 wrote to memory of 1864	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	27
PID 1864 wrote to memory of 1660	1864	mohofoc.exe	28
PID 1864 wrote to memory of 1660	1864	mohofoc.exe	28
PID 1864 wrote to memory of 1660	1864	mohofoc.exe	28
PID 1864 wrote to memory of 1660	1864	mohofoc.exe	28
PID 1264 wrote to memory of 1664	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	29
PID 1264 wrote to memory of 1664	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	29
PID 1264 wrote to memory of 1664	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	29
PID 1264 wrote to memory of 1664	1264	50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe	29
PID 1660 wrote to memory of 1692	1660	~DFA50.tmp	31
PID 1660 wrote to memory of 1692	1660	~DFA50.tmp	31
PID 1660 wrote to memory of 1692	1660	~DFA50.tmp	31
PID 1660 wrote to memory of 1692	1660	~DFA50.tmp	31

C:\Users\Admin\AppData\Local\Temp\50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe
"C:\Users\Admin\AppData\Local\Temp\50ca7fef598c65eee009ee7b03b314febc14045f17f45afbfe3ada39b905809e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\mohofoc.exe
  C:\Users\Admin\AppData\Local\Temp\mohofoc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\zacycoc.exe
      "C:\Users\Admin\AppData\Local\Temp\zacycoc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
18c2cadb985dc805a428ea9b8ce51d24

SHA1
a3867e9d0bf692e1e15e9e327ffdeef7ccf58b11

SHA256
76df071122cbb5cd3ae83cc2256ebdfedfa5dbf49e14c5c2f227fe4cb4cc0b61

SHA512
27d403fcccd43d95097ee9448378152bc524282f3fb305fff3cf82def5d4de658e378ab188362f7dd596ea6ec6ae62fa79dfac5ed8588159a2d9aa94f4eaf821

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
91dddaaae66d655cc2d577f22e4ccf7d

SHA1
93f64866253aad0acaab0e83436c70cdb67c8426

SHA256
54b9ea2fc85ac180aebc3fda59fffa25a1688e2c95e9ad37aaa3b50132f0231c

SHA512
9e457dd9f00213e2532ded16ec0ed15c677a51aa3f600c61ab2baf745ca5f719f1ac6e6791353e966b89970c9674c4bc510fd46f386a331a6d352de57a9cb700

Download Submit
C:\Users\Admin\AppData\Local\Temp\mohofoc.exe

Filesize
622KB

MD5
ce6aa3b5ffdc4f71e36c57a3591ffe56

SHA1
a0d31cce309ba1680934b7511bdf05bb1c81eeb5

SHA256
bcfb20e9ce5d84202155796b6892819bd08d29a8ee6d6ff2049622c065461dd5

SHA512
7547aca86c242d4eab14dd9364970efc0caecde734c01e5b5ad94087d31b71721b2b3ea013dbd9dfae9cc9307a35b16616fd0cf1c9ffbaf401bf9ca5d5d4a6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mohofoc.exe

Filesize
622KB

MD5
ce6aa3b5ffdc4f71e36c57a3591ffe56

SHA1
a0d31cce309ba1680934b7511bdf05bb1c81eeb5

SHA256
bcfb20e9ce5d84202155796b6892819bd08d29a8ee6d6ff2049622c065461dd5

SHA512
7547aca86c242d4eab14dd9364970efc0caecde734c01e5b5ad94087d31b71721b2b3ea013dbd9dfae9cc9307a35b16616fd0cf1c9ffbaf401bf9ca5d5d4a6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zacycoc.exe

Filesize
391KB

MD5
99fe2e33d75c65e46b65d71e747850cd

SHA1
7b8c7094b227c8b3ab234a112ccaf4579e0d2635

SHA256
a57953508c9d4e74a5c5c186aa5e31749223469b461b0cb48520345d23984e53

SHA512
b527bf8d4cb562248c7f4416d23e55ede732b4ce7b2cda2a99ee5c88bfb2f31e2c6333fba1c13f826eee38f2ded722bc8b217bd00984f41d4a549b2555a038fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
622KB

MD5
f0aa9896fe748045048e52b009997334

SHA1
a7b8a1333031b78e9a1593a0f41ceaf9bdbf5f38

SHA256
38abd41ef53d5362b621a65dc035f328ee8a291152d65c2b04b9c78b426f20ae

SHA512
a1ac8aa6defc6fc623aefb6dbd7cfb6bf8c68b08c0210dc62932cfba74f63589858727887d175123e28e0ba9b579950a671220e6c6afd2e1aa400cd40a2446bf

Download Submit
\Users\Admin\AppData\Local\Temp\mohofoc.exe

Filesize
622KB

MD5
ce6aa3b5ffdc4f71e36c57a3591ffe56

SHA1
a0d31cce309ba1680934b7511bdf05bb1c81eeb5

SHA256
bcfb20e9ce5d84202155796b6892819bd08d29a8ee6d6ff2049622c065461dd5

SHA512
7547aca86c242d4eab14dd9364970efc0caecde734c01e5b5ad94087d31b71721b2b3ea013dbd9dfae9cc9307a35b16616fd0cf1c9ffbaf401bf9ca5d5d4a6c8

Download Submit
\Users\Admin\AppData\Local\Temp\zacycoc.exe

Filesize
391KB

MD5
99fe2e33d75c65e46b65d71e747850cd

SHA1
7b8c7094b227c8b3ab234a112ccaf4579e0d2635

SHA256
a57953508c9d4e74a5c5c186aa5e31749223469b461b0cb48520345d23984e53

SHA512
b527bf8d4cb562248c7f4416d23e55ede732b4ce7b2cda2a99ee5c88bfb2f31e2c6333fba1c13f826eee38f2ded722bc8b217bd00984f41d4a549b2555a038fd

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA50.tmp

Filesize
622KB

MD5
f0aa9896fe748045048e52b009997334

SHA1
a7b8a1333031b78e9a1593a0f41ceaf9bdbf5f38

SHA256
38abd41ef53d5362b621a65dc035f328ee8a291152d65c2b04b9c78b426f20ae

SHA512
a1ac8aa6defc6fc623aefb6dbd7cfb6bf8c68b08c0210dc62932cfba74f63589858727887d175123e28e0ba9b579950a671220e6c6afd2e1aa400cd40a2446bf

Download Submit
memory/1264-68-0x0000000001E60000-0x0000000001F3E000-memory.dmp

Filesize
888KB

Download
memory/1264-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1264-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1264-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1660-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1660-79-0x0000000003650000-0x000000000378E000-memory.dmp

Filesize
1.2MB

Download
memory/1660-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1864-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1864-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1864-71-0x0000000002BF0000-0x0000000002CCE000-memory.dmp

Filesize
888KB

Download