7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d

Analysis

max time kernel
153s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe
Size

629KB
MD5

96e1638c149fe24b6bbd666db517e820
SHA1

cf7e68c57f5339ddae77eb262daa2ce682530b2c
SHA256

7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d
SHA512

89e43951bcb7341003174549fdd393351c7ae76fe7878be86a3f859cf4b1315ab7c53256a65241722279da71513607bc73a63e1dcc954a4ecd6f2ef52d88af7e
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1100	ygqibyt.exe
1048	~DFA70.tmp
1712	zuwyhig.exe

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe
1100	ygqibyt.exe
1048	~DFA70.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe
1712	zuwyhig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	~DFA70.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1100	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	27
PID 1652 wrote to memory of 1100	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	27
PID 1652 wrote to memory of 1100	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	27
PID 1652 wrote to memory of 1100	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	27
PID 1100 wrote to memory of 1048	1100	ygqibyt.exe	28
PID 1100 wrote to memory of 1048	1100	ygqibyt.exe	28
PID 1100 wrote to memory of 1048	1100	ygqibyt.exe	28
PID 1100 wrote to memory of 1048	1100	ygqibyt.exe	28
PID 1652 wrote to memory of 1900	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	29
PID 1652 wrote to memory of 1900	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	29
PID 1652 wrote to memory of 1900	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	29
PID 1652 wrote to memory of 1900	1652	7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe	29
PID 1048 wrote to memory of 1712	1048	~DFA70.tmp	31
PID 1048 wrote to memory of 1712	1048	~DFA70.tmp	31
PID 1048 wrote to memory of 1712	1048	~DFA70.tmp	31
PID 1048 wrote to memory of 1712	1048	~DFA70.tmp	31

C:\Users\Admin\AppData\Local\Temp\7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe
"C:\Users\Admin\AppData\Local\Temp\7341556e07c6bb87682419df0b59be874698eb906993b55c6c8112975bb3ed4d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\ygqibyt.exe
  C:\Users\Admin\AppData\Local\Temp\ygqibyt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\zuwyhig.exe
      "C:\Users\Admin\AppData\Local\Temp\zuwyhig.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
15ee7a4a654b4205d81dbbd9aea94e88

SHA1
f632d320580399d87c8c2aebffe0f39f70207793

SHA256
1264be5f99143dfa705f987274cf2aec0ce910a46c9c233f1a90ee9e3cf0d193

SHA512
a0d56621f69c72e4dab39861a730fc6350b03da8dd4ff1496f83d88f2bcc81f030a6027dbbc370cc62f8cc72c0bbd6b40e088ccd5f24d693e71793e676e303b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
da35f03b5fa429fe4a5f9f709d47ad93

SHA1
2f58c7d472ef2af95055e2e17ffb23781c17276f

SHA256
d47a5a903dfad9bf83934c295fc1163c954260961fb73cc74eb714eb94c1f1d9

SHA512
e82aabdeeec6262426799fcfed03440732825c001e01d3689dbaf767fc2a163383a06e59078b4ba40d104fdfb26decf4ec8e3fb19a9a113e7e11088dd4a44251

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygqibyt.exe

Filesize
632KB

MD5
b16aeabb705c669f2093e61220aa30b4

SHA1
94c06872ce7988283126edd12d7392c938a424d0

SHA256
8fb09d96ba6a998d4c49341fa653f869fd4e12dc67112f900f8096e201db95de

SHA512
0901b43f6f220ec054edebc02afda6b61005aa3490a49cdfeb9fdf9fe4a1a0a1ebf346c6d2465b5c29b042ef40a347fd515eb98dfe6f99b3a4ff632d9f27eadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygqibyt.exe

Filesize
632KB

MD5
b16aeabb705c669f2093e61220aa30b4

SHA1
94c06872ce7988283126edd12d7392c938a424d0

SHA256
8fb09d96ba6a998d4c49341fa653f869fd4e12dc67112f900f8096e201db95de

SHA512
0901b43f6f220ec054edebc02afda6b61005aa3490a49cdfeb9fdf9fe4a1a0a1ebf346c6d2465b5c29b042ef40a347fd515eb98dfe6f99b3a4ff632d9f27eadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuwyhig.exe

Filesize
410KB

MD5
27a941513ae2826c5204da31f85dbfbc

SHA1
57c039bd10747767538164d6a452fad2b72530a6

SHA256
cc70bf0f8db432ed4726d032abbd84cacd003b010ece092b1871634ca0da9cf7

SHA512
a3e0aaeb2a790f7f53acdfdd87df1b8f58f50d9ec00c2ada084932b55ec41f9f0a79f8a16176dcdb55a77e171d77bee3ab31680379ff5ffbaa6149d5f450061f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA70.tmp

Filesize
635KB

MD5
37293939e9af5c8329aef4472c4afda6

SHA1
c20113be74540a916c7df331584269513f470ba0

SHA256
3dfc2b41ed9e314b7a490d1f9a0e9f668bd1384e8a77d6397ed9006f9a4ae7f2

SHA512
aade2fd5dc1d49022af840515261de53f92a3f8b693acca89ca2c40c203d66a483a2172dac75655eabaa054fe048cead1fcbe69599a78b2f839ffd2249e843e7

Download Submit
\Users\Admin\AppData\Local\Temp\ygqibyt.exe

Filesize
632KB

MD5
b16aeabb705c669f2093e61220aa30b4

SHA1
94c06872ce7988283126edd12d7392c938a424d0

SHA256
8fb09d96ba6a998d4c49341fa653f869fd4e12dc67112f900f8096e201db95de

SHA512
0901b43f6f220ec054edebc02afda6b61005aa3490a49cdfeb9fdf9fe4a1a0a1ebf346c6d2465b5c29b042ef40a347fd515eb98dfe6f99b3a4ff632d9f27eadb

Download Submit
\Users\Admin\AppData\Local\Temp\zuwyhig.exe

Filesize
410KB

MD5
27a941513ae2826c5204da31f85dbfbc

SHA1
57c039bd10747767538164d6a452fad2b72530a6

SHA256
cc70bf0f8db432ed4726d032abbd84cacd003b010ece092b1871634ca0da9cf7

SHA512
a3e0aaeb2a790f7f53acdfdd87df1b8f58f50d9ec00c2ada084932b55ec41f9f0a79f8a16176dcdb55a77e171d77bee3ab31680379ff5ffbaa6149d5f450061f

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA70.tmp

Filesize
635KB

MD5
37293939e9af5c8329aef4472c4afda6

SHA1
c20113be74540a916c7df331584269513f470ba0

SHA256
3dfc2b41ed9e314b7a490d1f9a0e9f668bd1384e8a77d6397ed9006f9a4ae7f2

SHA512
aade2fd5dc1d49022af840515261de53f92a3f8b693acca89ca2c40c203d66a483a2172dac75655eabaa054fe048cead1fcbe69599a78b2f839ffd2249e843e7

Download Submit
memory/1048-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1048-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1048-78-0x0000000003740000-0x000000000387E000-memory.dmp

Filesize
1.2MB

Download
memory/1100-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1100-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1652-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1652-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1652-64-0x0000000001D40000-0x0000000001E1E000-memory.dmp

Filesize
888KB

Download
memory/1652-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1712-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download