d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c

Analysis

max time kernel
153s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe
Size

665KB
MD5

42ec96a232c22ef8fcc2731b1365b010
SHA1

bc397a453e5a14e21be42dedbcb3406ceecae8a3
SHA256

d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c
SHA512

f5fdf53bcc0ee368e81f1683eb63ad80487150e8d1f3670c8178ab9926a091dd23a3e8551bfd055b52ee6c2a99f9b92e93456c663126b6d910f7490dcc503b43
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1736	leipfoi.exe
1416	~DFA92.tmp
564	cixenyi.exe

Deletes itself 1 IoCs

pid	Process
1012	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe
1736	leipfoi.exe
1416	~DFA92.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe
564	cixenyi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	~DFA92.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1736	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	27
PID 1120 wrote to memory of 1736	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	27
PID 1120 wrote to memory of 1736	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	27
PID 1120 wrote to memory of 1736	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	27
PID 1736 wrote to memory of 1416	1736	leipfoi.exe	28
PID 1736 wrote to memory of 1416	1736	leipfoi.exe	28
PID 1736 wrote to memory of 1416	1736	leipfoi.exe	28
PID 1736 wrote to memory of 1416	1736	leipfoi.exe	28
PID 1120 wrote to memory of 1012	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	29
PID 1120 wrote to memory of 1012	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	29
PID 1120 wrote to memory of 1012	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	29
PID 1120 wrote to memory of 1012	1120	d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe	29
PID 1416 wrote to memory of 564	1416	~DFA92.tmp	31
PID 1416 wrote to memory of 564	1416	~DFA92.tmp	31
PID 1416 wrote to memory of 564	1416	~DFA92.tmp	31
PID 1416 wrote to memory of 564	1416	~DFA92.tmp	31

C:\Users\Admin\AppData\Local\Temp\d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe
"C:\Users\Admin\AppData\Local\Temp\d1620bfa1caa57bf96c9cef0fd55ebdd70d4fa7bec56a4a820bc8641add0d53c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\leipfoi.exe
  C:\Users\Admin\AppData\Local\Temp\leipfoi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\~DFA92.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA92.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\cixenyi.exe
      "C:\Users\Admin\AppData\Local\Temp\cixenyi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
324e8ab93b86acf67986e3d49854803c

SHA1
d64ddbcd19e3118f27565902dfb189312d46636f

SHA256
5593309c80e6d8ef8bd1a4e91a992e9e8636af751a54d757a4370cfbae1bb2f9

SHA512
0dee01574bc432a370a8e9c2b33f6142cb3d99708abe6d6f267e0ff7c5739df92c5700506ea38c828e6913416edd2565f51ab1403af7dd7003b41734797b1307

Download Submit
C:\Users\Admin\AppData\Local\Temp\cixenyi.exe

Filesize
412KB

MD5
bbd9a14b835282a7b95041c2d9fb7a71

SHA1
b712d03235986a4aa6203b05d9c6aa0ffc409ad8

SHA256
ed36ab2afc87721a1ad58453ef26ede02fb06d5e805882bd9edfbcfd000e3722

SHA512
a2102229c124b720ac8efe053e1db09909eb98fadc7fd459dec3eaac1908591dab0bc7a9d7d029923b9249c188bb24b61c086f813678159629d264a9b98660fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e6ec01058d5f5397706d0ff186e98fed

SHA1
3eedb803db26368e63577a9de37c223354101496

SHA256
9a72ffb4404b19507ab759d66900ed71ad88980a5c18e179e880dcc2f5d4dfd2

SHA512
536ab50a7cdaafd11125b2161aa5c08473ca787e3ebde5383b428da5082d7991830e77d3daf2209fe82ebdb9381e6e664691630b0c98cf64cc8ad3e97c7f94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\leipfoi.exe

Filesize
665KB

MD5
f0a944d9ee3dedd366ce3ace06a132b2

SHA1
828fa82f1ce24b72dd5a6ac637b7cc2e70b2d3e5

SHA256
88d9927a64b87d0b0096d39091ab3078ac11488fa7be6e62ff84e84c401ee522

SHA512
a54eff3b4f28ed37786c3899e31ec52394a775f57f08d4c1d7484c51791b50c818ce0818b8262128f8ff7b74c7ccbfed227db0efc3b47ea0c6642afe196cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\leipfoi.exe

Filesize
665KB

MD5
f0a944d9ee3dedd366ce3ace06a132b2

SHA1
828fa82f1ce24b72dd5a6ac637b7cc2e70b2d3e5

SHA256
88d9927a64b87d0b0096d39091ab3078ac11488fa7be6e62ff84e84c401ee522

SHA512
a54eff3b4f28ed37786c3899e31ec52394a775f57f08d4c1d7484c51791b50c818ce0818b8262128f8ff7b74c7ccbfed227db0efc3b47ea0c6642afe196cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA92.tmp

Filesize
672KB

MD5
95373fc293e49245e4229b1f4b0a8b36

SHA1
0f325de52117f65589b53a579c582415c2405dad

SHA256
8e58decb153f95ede74753d5ee4c8e25138c91cf8844d89b4a9be5d000c778bf

SHA512
d1de69b988b07ae0fa34be414f29ba5f5b69b8743f0b3b6b5e10b151cd59a1acfa3eef8ca13220fe1797a4f9bc9fb283107199f8082c01a52deb78cf565c1bee

Download Submit
\Users\Admin\AppData\Local\Temp\cixenyi.exe

Filesize
412KB

MD5
bbd9a14b835282a7b95041c2d9fb7a71

SHA1
b712d03235986a4aa6203b05d9c6aa0ffc409ad8

SHA256
ed36ab2afc87721a1ad58453ef26ede02fb06d5e805882bd9edfbcfd000e3722

SHA512
a2102229c124b720ac8efe053e1db09909eb98fadc7fd459dec3eaac1908591dab0bc7a9d7d029923b9249c188bb24b61c086f813678159629d264a9b98660fa

Download Submit
\Users\Admin\AppData\Local\Temp\leipfoi.exe

Filesize
665KB

MD5
f0a944d9ee3dedd366ce3ace06a132b2

SHA1
828fa82f1ce24b72dd5a6ac637b7cc2e70b2d3e5

SHA256
88d9927a64b87d0b0096d39091ab3078ac11488fa7be6e62ff84e84c401ee522

SHA512
a54eff3b4f28ed37786c3899e31ec52394a775f57f08d4c1d7484c51791b50c818ce0818b8262128f8ff7b74c7ccbfed227db0efc3b47ea0c6642afe196cbf33

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA92.tmp

Filesize
672KB

MD5
95373fc293e49245e4229b1f4b0a8b36

SHA1
0f325de52117f65589b53a579c582415c2405dad

SHA256
8e58decb153f95ede74753d5ee4c8e25138c91cf8844d89b4a9be5d000c778bf

SHA512
d1de69b988b07ae0fa34be414f29ba5f5b69b8743f0b3b6b5e10b151cd59a1acfa3eef8ca13220fe1797a4f9bc9fb283107199f8082c01a52deb78cf565c1bee

Download Submit
memory/564-81-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1120-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1120-58-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1120-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1120-72-0x0000000001F20000-0x0000000001FFE000-memory.dmp

Filesize
888KB

Download
memory/1120-57-0x0000000001F20000-0x0000000001FFE000-memory.dmp

Filesize
888KB

Download
memory/1120-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1416-76-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1416-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1416-80-0x0000000003640000-0x000000000377E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1736-69-0x0000000002B20000-0x0000000002BFE000-memory.dmp

Filesize
888KB

Download
memory/1736-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download