effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658

Analysis

max time kernel
151s
max time network
91s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
Size

648KB
MD5

a069d7bf37f77e2f29243cad9a481db0
SHA1

c67c18b9e200146572a0f923b3cc1fe0c1a8d53f
SHA256

effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658
SHA512

6beb78f47e8ee6b4d07fc9a3e92078dce6cd78a4dfd92c46d96d56906cbdedf1dddd24d5f8dc8ebdfc0dd84bfdf578ddb81955468395e1b570b6f96073da2d64
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
960	ymzymiw.exe
1296	~DFA5F.tmp
916	wiqywow.exe

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
960	ymzymiw.exe
1296	~DFA5F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe
916	wiqywow.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	~DFA5F.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 960	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	27
PID 1988 wrote to memory of 960	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	27
PID 1988 wrote to memory of 960	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	27
PID 1988 wrote to memory of 960	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	27
PID 960 wrote to memory of 1296	960	ymzymiw.exe	28
PID 960 wrote to memory of 1296	960	ymzymiw.exe	28
PID 960 wrote to memory of 1296	960	ymzymiw.exe	28
PID 960 wrote to memory of 1296	960	ymzymiw.exe	28
PID 1988 wrote to memory of 1768	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	29
PID 1988 wrote to memory of 1768	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	29
PID 1988 wrote to memory of 1768	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	29
PID 1988 wrote to memory of 1768	1988	effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe	29
PID 1296 wrote to memory of 916	1296	~DFA5F.tmp	31
PID 1296 wrote to memory of 916	1296	~DFA5F.tmp	31
PID 1296 wrote to memory of 916	1296	~DFA5F.tmp	31
PID 1296 wrote to memory of 916	1296	~DFA5F.tmp	31

C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
"C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\ymzymiw.exe
  C:\Users\Admin\AppData\Local\Temp\ymzymiw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\~DFA5F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5F.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\wiqywow.exe
      "C:\Users\Admin\AppData\Local\Temp\wiqywow.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
a603eae6eda0725cd90dc7b16ad56742

SHA1
e2c427ac4d2c4e9077c2fe135971ae4ef22ffb22

SHA256
1b4037e601043eca8b7a16f2dbeb494d80bf08257708c3ab3277e1a126e5ab72

SHA512
3cc35903fa993469beafb0e6e8dc2cd073710d323cba6298f7cc2f0d078de52d54a6e9504966c3c1f8daa32a90fb03a5649f1f7f956bd46c84f2b21d81536259

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a5a0c086a31131d84d25691675e10393

SHA1
07fe8bb13225d22be641ddcb00e45326d91af80a

SHA256
1276ebf92e21025367e3fc5155bc455046fd77d65551225160976d61377f140e

SHA512
df2a340bfc863e592cd8445d91eda30822071878a7df375bb7d08c86e9b9e6b9f2e8f94cac3a18c7d57b1f8a4348a9e4299d54a124d5edca42f7a85f8a75960a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqywow.exe

Filesize
377KB

MD5
61e5b6023f62386d5265606f8c0b69fc

SHA1
b6977800f31e930b8261750d156f8a98ae5c0a37

SHA256
5f01219cf3eb2bc052c48d550da3d5921c6e1a4ff4f114a614475ec407efdb82

SHA512
58df03dbd1b3bf7674c28fd384dc0e17caf734443cd5640feef11ee8db68a895deb53ddde2489fe3b249e8d021c5881df5f5318d8b75af615550f2d19cb6c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymzymiw.exe

Filesize
654KB

MD5
0919cd05278998086ab003e1324a12ab

SHA1
e2384c3417a8afec02882ff7831865d7be467702

SHA256
ba1fa017038ab9719919cd81e8593d94523f17fc9b4eb68f69c51ab94a5e3449

SHA512
e9828ef821f9473bffb95d1cc94a8d936e97304a3cd9373c7cda2e9477f17c6e17fa71ad47d13889c1cf11574ac50657d8109d1dc34a87be8730aba5bf6eee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymzymiw.exe

Filesize
654KB

MD5
0919cd05278998086ab003e1324a12ab

SHA1
e2384c3417a8afec02882ff7831865d7be467702

SHA256
ba1fa017038ab9719919cd81e8593d94523f17fc9b4eb68f69c51ab94a5e3449

SHA512
e9828ef821f9473bffb95d1cc94a8d936e97304a3cd9373c7cda2e9477f17c6e17fa71ad47d13889c1cf11574ac50657d8109d1dc34a87be8730aba5bf6eee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5F.tmp

Filesize
660KB

MD5
6f38987741f3a1120be53165efac2f0a

SHA1
fabf4b9357ad87f4f7c97d610db94ec54f6f8fa8

SHA256
1e2d448edb577a57d1ed2265c51336be35c61ed6d4de5bfac5ed0b38efc97558

SHA512
e10b1cc54418086a60b25f35010eb55fb5085e7f329c312b4a1c005bff835ccb6a7dede91068f76495936621b4474e2501fdba1270551ca624846471e62292c5

Download Submit
\Users\Admin\AppData\Local\Temp\wiqywow.exe

Filesize
377KB

MD5
61e5b6023f62386d5265606f8c0b69fc

SHA1
b6977800f31e930b8261750d156f8a98ae5c0a37

SHA256
5f01219cf3eb2bc052c48d550da3d5921c6e1a4ff4f114a614475ec407efdb82

SHA512
58df03dbd1b3bf7674c28fd384dc0e17caf734443cd5640feef11ee8db68a895deb53ddde2489fe3b249e8d021c5881df5f5318d8b75af615550f2d19cb6c33a

Download Submit
\Users\Admin\AppData\Local\Temp\ymzymiw.exe

Filesize
654KB

MD5
0919cd05278998086ab003e1324a12ab

SHA1
e2384c3417a8afec02882ff7831865d7be467702

SHA256
ba1fa017038ab9719919cd81e8593d94523f17fc9b4eb68f69c51ab94a5e3449

SHA512
e9828ef821f9473bffb95d1cc94a8d936e97304a3cd9373c7cda2e9477f17c6e17fa71ad47d13889c1cf11574ac50657d8109d1dc34a87be8730aba5bf6eee86

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5F.tmp

Filesize
660KB

MD5
6f38987741f3a1120be53165efac2f0a

SHA1
fabf4b9357ad87f4f7c97d610db94ec54f6f8fa8

SHA256
1e2d448edb577a57d1ed2265c51336be35c61ed6d4de5bfac5ed0b38efc97558

SHA512
e10b1cc54418086a60b25f35010eb55fb5085e7f329c312b4a1c005bff835ccb6a7dede91068f76495936621b4474e2501fdba1270551ca624846471e62292c5

Download Submit
memory/916-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/960-71-0x0000000002AD0000-0x0000000002BAE000-memory.dmp

Filesize
888KB

Download
memory/960-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/960-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1296-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1296-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1296-78-0x00000000037A0000-0x00000000038DE000-memory.dmp

Filesize
1.2MB

Download
memory/1988-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1988-68-0x0000000001ED0000-0x0000000001FAE000-memory.dmp

Filesize
888KB

Download
memory/1988-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1988-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download