795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc

Analysis

max time kernel
102s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe
Size

621KB
MD5

a11a246b267a89800f56acd21ad32ee0
SHA1

cad716bf39d42de0992a81993f7a61f7d2ca0301
SHA256

795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc
SHA512

d47a4322518cff8980454b797b282a3cc420fbf3d889b9b60713ab34f57d2ed821db29ac75ee6d8b5a33009c2962e6e948868e61b2087519daa0f2ed9b3aef3f
SSDEEP

12288:WMtPB1HbMPXAktKhILTR7/3zNo4nQRQq5rC1ALp2eiFLRHYHGz:FtHAPXAvQ7rbnQRQuOyLU7TOGz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1616	dofhir.exe

Deletes itself 1 IoCs

pid	Process
1524	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe
1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1616	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	28
PID 1032 wrote to memory of 1616	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	28
PID 1032 wrote to memory of 1616	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	28
PID 1032 wrote to memory of 1616	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	28
PID 1032 wrote to memory of 1524	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	30
PID 1032 wrote to memory of 1524	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	30
PID 1032 wrote to memory of 1524	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	30
PID 1032 wrote to memory of 1524	1032	795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe	30

C:\Users\Admin\AppData\Local\Temp\795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe
"C:\Users\Admin\AppData\Local\Temp\795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\dofhir.exe
  "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
621KB

MD5
52d886cb5d761c184b5a8becf538fa77

SHA1
8139b64499ba7b97f003958dd0f7d966be502f40

SHA256
3c653a9f0ae0b0814a140233f44c9a6595343df8aeb9bda787f41ea110d06942

SHA512
7b9b6f65d56fc45d533fabe7cb753645081f691ae8308dda02902ff45a506ca47634acd1b78923df6d0ac236212e64b6d699d3aa49571a4bb6618064cd67d345

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
64bd6ce7bbf11d281db681ed92eef333

SHA1
2034da53aac1d1bb31412abd3374518956556beb

SHA256
f6ac51f63e05e0c1e484b9a0df249ea47e6db7e72b603191235b19fb486a0efe

SHA512
5063a264be28eab5fdae7684427cf23fe80d79d14305f516c41871422daefd8a9b39bc715098bb955b623514f0c0781b0d8b516e0bf0f0ef8c6c7736b106ba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
90e51814b9824c62b49397aad2bc3a2b

SHA1
860402f4638d1d34cfb12b14e4a30a3bb2516e2d

SHA256
0852d1988590820318bbcffffd3fb06e24d2220f8d5f11508fe51fadafe0ef8b

SHA512
fc1b4f5f4924c9756744bf4a105b47bda69dc0bd7c49fdb2e68ff8d0c10f95517587553ac647319d92f2f14f39b3a9d161e3d88163068a7c491e08477f81f921

Download Submit
\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
621KB

MD5
52d886cb5d761c184b5a8becf538fa77

SHA1
8139b64499ba7b97f003958dd0f7d966be502f40

SHA256
3c653a9f0ae0b0814a140233f44c9a6595343df8aeb9bda787f41ea110d06942

SHA512
7b9b6f65d56fc45d533fabe7cb753645081f691ae8308dda02902ff45a506ca47634acd1b78923df6d0ac236212e64b6d699d3aa49571a4bb6618064cd67d345

Download Submit
\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
621KB

MD5
52d886cb5d761c184b5a8becf538fa77

SHA1
8139b64499ba7b97f003958dd0f7d966be502f40

SHA256
3c653a9f0ae0b0814a140233f44c9a6595343df8aeb9bda787f41ea110d06942

SHA512
7b9b6f65d56fc45d533fabe7cb753645081f691ae8308dda02902ff45a506ca47634acd1b78923df6d0ac236212e64b6d699d3aa49571a4bb6618064cd67d345

Download Submit
memory/1032-55-0x0000000000220000-0x000000000045A000-memory.dmp

Filesize
2.2MB

Download
memory/1032-62-0x0000000000220000-0x000000000045A000-memory.dmp

Filesize
2.2MB

Download
memory/1032-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1616-64-0x0000000001030000-0x000000000126A000-memory.dmp

Filesize
2.2MB

Download
memory/1616-66-0x0000000001030000-0x000000000126A000-memory.dmp

Filesize
2.2MB

Download
memory/1616-67-0x0000000001030000-0x000000000126A000-memory.dmp

Filesize
2.2MB

Download