2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c

Analysis

max time kernel
151s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
Size

675KB
MD5

8014c7f4da24d190fe1b43cde245b800
SHA1

270d2c28ce05e1cdd55ab6af1ff6031f09254a09
SHA256

2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c
SHA512

96c8568f47887f5f9f154fd74c4371bbc01593a1e848c93b6f24e2513c1f9afbfece8d927e2853e1dfb4a1304d12fea48875a10702a2a15649e7645285e23da3
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1976	asbizuv.exe
1524	~DFA6B.tmp
1804	wiqovuv.exe

Deletes itself 1 IoCs

pid	Process
1336	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
1976	asbizuv.exe
1524	~DFA6B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe
1804	wiqovuv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	~DFA6B.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1976	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	26
PID 1992 wrote to memory of 1976	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	26
PID 1992 wrote to memory of 1976	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	26
PID 1992 wrote to memory of 1976	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	26
PID 1976 wrote to memory of 1524	1976	asbizuv.exe	27
PID 1976 wrote to memory of 1524	1976	asbizuv.exe	27
PID 1976 wrote to memory of 1524	1976	asbizuv.exe	27
PID 1976 wrote to memory of 1524	1976	asbizuv.exe	27
PID 1992 wrote to memory of 1336	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	28
PID 1992 wrote to memory of 1336	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	28
PID 1992 wrote to memory of 1336	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	28
PID 1992 wrote to memory of 1336	1992	2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe	28
PID 1524 wrote to memory of 1804	1524	~DFA6B.tmp	30
PID 1524 wrote to memory of 1804	1524	~DFA6B.tmp	30
PID 1524 wrote to memory of 1804	1524	~DFA6B.tmp	30
PID 1524 wrote to memory of 1804	1524	~DFA6B.tmp	30

C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\asbizuv.exe
  C:\Users\Admin\AppData\Local\Temp\asbizuv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\wiqovuv.exe
      "C:\Users\Admin\AppData\Local\Temp\wiqovuv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a10cca7a0d216ea139273da9e3a9d226

SHA1
3d90f81ba09fba6e2f72f4862519d93e043c4677

SHA256
8139323409b73f9dd0287cdb367e030fed6b2ee0c44ac0d22653a83d798ac227

SHA512
506f03074b857bed4d9f58d41e396e8aa943282dc654c0733b6c0916415e2cb997140dd1fb2144c0283a8179d0aef9ef51d4dbe8397596589d7f71effe002d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\asbizuv.exe

Filesize
681KB

MD5
b48921b6bcbb425b35e918a2c2341145

SHA1
cc6f37b92ac541e8c46ee555443b7ea29aa658e7

SHA256
a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62

SHA512
7fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135

Download Submit
C:\Users\Admin\AppData\Local\Temp\asbizuv.exe

Filesize
681KB

MD5
b48921b6bcbb425b35e918a2c2341145

SHA1
cc6f37b92ac541e8c46ee555443b7ea29aa658e7

SHA256
a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62

SHA512
7fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
f88f72fe5ddf2b467c239814d715a260

SHA1
b5599e7d239d29988ca02d3380cf99b9a49d7cf9

SHA256
3f0d4b42a91843676dbe6cae8780f40ed7744ea6cefebeb4f9cf5fd13fa817e9

SHA512
46638ad784175ebce63d802fa5e9ff937133e781fdb57c9eb19f9d7182835ba2174de23be49b3807f6dd7d725502d01470cebf7f151496f08d6fbd8430dbdd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqovuv.exe

Filesize
419KB

MD5
2f7c0ccab6a62f4968080097a0f73cda

SHA1
9ed1dfa781f4c2edd89d72ec00884c44617387a6

SHA256
0d0e95716d148c1a377be2b0b0c1d8dd465c672196ac84b1a8813bced018274a

SHA512
2d14f6a7d3a71a6c61b6e9ce0181230f2307afada24a2a6b8a9b1928560cad5febc79e70eb75f47ea3df64b4785cc553fc86b09f7be567635239f54ba9a8369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp

Filesize
688KB

MD5
dbe905c060559344a5f81f36a6d6c098

SHA1
a925be6f94a7e84009d60c8becd7351e312abb57

SHA256
239595f2f04c9cb1d3e87cb31e2df9ee1c5c5d425413b2bbbfb348f111a0d64c

SHA512
e7875246466ceeadfabd362e93cda29d33c43df499602967f86476d4444074d5e8132fe135b39f9b7f0437ec3c3634e0c8aaeafcad51e7b84f4e14da255b3638

Download Submit
\Users\Admin\AppData\Local\Temp\asbizuv.exe

Filesize
681KB

MD5
b48921b6bcbb425b35e918a2c2341145

SHA1
cc6f37b92ac541e8c46ee555443b7ea29aa658e7

SHA256
a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62

SHA512
7fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135

Download Submit
\Users\Admin\AppData\Local\Temp\wiqovuv.exe

Filesize
419KB

MD5
2f7c0ccab6a62f4968080097a0f73cda

SHA1
9ed1dfa781f4c2edd89d72ec00884c44617387a6

SHA256
0d0e95716d148c1a377be2b0b0c1d8dd465c672196ac84b1a8813bced018274a

SHA512
2d14f6a7d3a71a6c61b6e9ce0181230f2307afada24a2a6b8a9b1928560cad5febc79e70eb75f47ea3df64b4785cc553fc86b09f7be567635239f54ba9a8369d

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA6B.tmp

Filesize
688KB

MD5
dbe905c060559344a5f81f36a6d6c098

SHA1
a925be6f94a7e84009d60c8becd7351e312abb57

SHA256
239595f2f04c9cb1d3e87cb31e2df9ee1c5c5d425413b2bbbfb348f111a0d64c

SHA512
e7875246466ceeadfabd362e93cda29d33c43df499602967f86476d4444074d5e8132fe135b39f9b7f0437ec3c3634e0c8aaeafcad51e7b84f4e14da255b3638

Download Submit
memory/1524-79-0x00000000036E0000-0x000000000381E000-memory.dmp

Filesize
1.2MB

Download
memory/1524-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1524-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1804-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1976-68-0x0000000002B80000-0x0000000002C5E000-memory.dmp

Filesize
888KB

Download
memory/1976-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1976-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1992-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-61-0x0000000001DC0000-0x0000000001E9E000-memory.dmp

Filesize
888KB

Download
memory/1992-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download