97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604

Analysis

max time kernel
150s
max time network
71s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 07:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
Size

643KB
MD5

7740641a27d787b3930ba942b9b88680
SHA1

b34365de71add287e5c4d2d598aa45c5f2bd9110
SHA256

97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604
SHA512

ac07915dd62968c50cd2ebbb516c6a89616c9b00bbe5af99b6800cb785e61ae36d361ffdbb8ec976a920eca014a8d5173447c2475032f3d81554e554314874e7
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1288	jyhuzan.exe
1732	~DFA57.tmp
788	nokyden.exe

Deletes itself 1 IoCs

pid	Process
1152	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
1288	jyhuzan.exe
1732	~DFA57.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe
788	nokyden.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	~DFA57.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1288	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	27
PID 1284 wrote to memory of 1288	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	27
PID 1284 wrote to memory of 1288	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	27
PID 1284 wrote to memory of 1288	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	27
PID 1284 wrote to memory of 1152	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	28
PID 1284 wrote to memory of 1152	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	28
PID 1284 wrote to memory of 1152	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	28
PID 1284 wrote to memory of 1152	1284	97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe	28
PID 1288 wrote to memory of 1732	1288	jyhuzan.exe	30
PID 1288 wrote to memory of 1732	1288	jyhuzan.exe	30
PID 1288 wrote to memory of 1732	1288	jyhuzan.exe	30
PID 1288 wrote to memory of 1732	1288	jyhuzan.exe	30
PID 1732 wrote to memory of 788	1732	~DFA57.tmp	31
PID 1732 wrote to memory of 788	1732	~DFA57.tmp	31
PID 1732 wrote to memory of 788	1732	~DFA57.tmp	31
PID 1732 wrote to memory of 788	1732	~DFA57.tmp	31

C:\Users\Admin\AppData\Local\Temp\97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe
"C:\Users\Admin\AppData\Local\Temp\97e7b47b43c8b7f56254ec2f90025cd59b41280b464e613464ebe14511d36604.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\jyhuzan.exe
  C:\Users\Admin\AppData\Local\Temp\jyhuzan.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\nokyden.exe
      "C:\Users\Admin\AppData\Local\Temp\nokyden.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
2e03b3b3cade82a5bf82038228c5ff88

SHA1
df7c1e4441d7632f47eafec74a0e8bb4bd6c021f

SHA256
a4ff0909efc46f2e9475b3a26d493b0321bccf4292bd56e110b6d27f70b09354

SHA512
36dd3e2abcd7f2b3a3a7f2f95a10cd53453d064e9c6b4861a139b45c1f1cc8b837be20ab0bf66b9600a1929f9918307e1a030c8ba2535575685ce8fa1a0fcdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a09ac78ff2c03f004c2e1edf8ff1ee50

SHA1
ae1854059244d3cca0411057c9c94280bc2b09a8

SHA256
4faf510595ef086307ac6198990a79f2ffe85eb39893268f6daf90abe4862dcc

SHA512
1dea574c952f7decf143d24bb51f057975b977c150b478831538941e86749df517a0606d1fc02cb1f33d27d1adf6f31473ebc22da7f582fada65e1f03f51f59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyhuzan.exe

Filesize
650KB

MD5
b1ed7a1127a6513c276b6cc54c8cae2a

SHA1
402cbda201aa442bfb1e38f0d8220547c6e96411

SHA256
fa78aaf7d2c168068f38ce8111fa950ba60a1d0cf5143fd81aad4ffe98f8764c

SHA512
88ee8edcd777ebc5770c1dc1b1121ba2d7993fd7384b38338684d7943ab3bd19dc7e0a7ff92ae32b14275eaaa29d8adf9b7cf8326d4a899e152f99cddc3f116d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyhuzan.exe

Filesize
650KB

MD5
b1ed7a1127a6513c276b6cc54c8cae2a

SHA1
402cbda201aa442bfb1e38f0d8220547c6e96411

SHA256
fa78aaf7d2c168068f38ce8111fa950ba60a1d0cf5143fd81aad4ffe98f8764c

SHA512
88ee8edcd777ebc5770c1dc1b1121ba2d7993fd7384b38338684d7943ab3bd19dc7e0a7ff92ae32b14275eaaa29d8adf9b7cf8326d4a899e152f99cddc3f116d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokyden.exe

Filesize
381KB

MD5
34e55db3e823bb9e0468de8d89ed629f

SHA1
08dfe4b56ea0f6b67b24ec6e904bc75282e1cf5e

SHA256
b75c78fcac6f96df40ea63a35a2e812435dcd434b21e5810eb13e3d2cace4cfa

SHA512
a96673365c981abf12ea6ba775946d2f61849e5d83a1b023fd50884964d8f224851e17e81369c8a9a022586f71499b6578122845576cba421de01b5c4754de49

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
657KB

MD5
8b4b173c0f099544e71c92c122634e44

SHA1
1adfc6f4b2a57f3d496b83774aeb3455551c2ece

SHA256
26c0581b2f30af605f35bd7da9bbd8b7523399a4f7258e0dc108ffcff4a76881

SHA512
49545ca6a835ed327939a0ba82277b18b9d56bfe15d66b551774d5b6f90e0f5ef66e76c5235fe2331b70d1f8fecf3d0fad0b7a83398f44e5eb0ecc076a5be50b

Download Submit
\Users\Admin\AppData\Local\Temp\jyhuzan.exe

Filesize
650KB

MD5
b1ed7a1127a6513c276b6cc54c8cae2a

SHA1
402cbda201aa442bfb1e38f0d8220547c6e96411

SHA256
fa78aaf7d2c168068f38ce8111fa950ba60a1d0cf5143fd81aad4ffe98f8764c

SHA512
88ee8edcd777ebc5770c1dc1b1121ba2d7993fd7384b38338684d7943ab3bd19dc7e0a7ff92ae32b14275eaaa29d8adf9b7cf8326d4a899e152f99cddc3f116d

Download Submit
\Users\Admin\AppData\Local\Temp\nokyden.exe

Filesize
381KB

MD5
34e55db3e823bb9e0468de8d89ed629f

SHA1
08dfe4b56ea0f6b67b24ec6e904bc75282e1cf5e

SHA256
b75c78fcac6f96df40ea63a35a2e812435dcd434b21e5810eb13e3d2cace4cfa

SHA512
a96673365c981abf12ea6ba775946d2f61849e5d83a1b023fd50884964d8f224851e17e81369c8a9a022586f71499b6578122845576cba421de01b5c4754de49

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
657KB

MD5
8b4b173c0f099544e71c92c122634e44

SHA1
1adfc6f4b2a57f3d496b83774aeb3455551c2ece

SHA256
26c0581b2f30af605f35bd7da9bbd8b7523399a4f7258e0dc108ffcff4a76881

SHA512
49545ca6a835ed327939a0ba82277b18b9d56bfe15d66b551774d5b6f90e0f5ef66e76c5235fe2331b70d1f8fecf3d0fad0b7a83398f44e5eb0ecc076a5be50b

Download Submit
memory/788-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1284-69-0x0000000001E20000-0x0000000001EFE000-memory.dmp

Filesize
888KB

Download
memory/1284-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1288-70-0x0000000002B80000-0x0000000002C5E000-memory.dmp

Filesize
888KB

Download
memory/1288-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1288-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1732-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1732-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1732-78-0x0000000003640000-0x000000000377E000-memory.dmp

Filesize
1.2MB

Download