a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94

Analysis

max time kernel
203s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
Size

658KB
MD5

732d5b5bdbcb7e6e110f19b42a31c3c0
SHA1

e720df01778e30627609fbb4cebcc3d7f3b1b9af
SHA256

a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94
SHA512

85eb27e02d8d1e766ec71735e62f73d4ee5005e824df26a30aea4b972fc048970457ff16d22873dbd35d5ce7973f90cac4b723ca975a558ee489446c1be22edb
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1412	nukojiu.exe
1156	~DFA8B.tmp
1340	jeikyqu.exe

Deletes itself 1 IoCs

pid	Process
604	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
1412	nukojiu.exe
1156	~DFA8B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe
1340	jeikyqu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	~DFA8B.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1412	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	28
PID 944 wrote to memory of 1412	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	28
PID 944 wrote to memory of 1412	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	28
PID 944 wrote to memory of 1412	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	28
PID 1412 wrote to memory of 1156	1412	nukojiu.exe	27
PID 1412 wrote to memory of 1156	1412	nukojiu.exe	27
PID 1412 wrote to memory of 1156	1412	nukojiu.exe	27
PID 1412 wrote to memory of 1156	1412	nukojiu.exe	27
PID 944 wrote to memory of 604	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	30
PID 944 wrote to memory of 604	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	30
PID 944 wrote to memory of 604	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	30
PID 944 wrote to memory of 604	944	a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe	30
PID 1156 wrote to memory of 1340	1156	~DFA8B.tmp	31
PID 1156 wrote to memory of 1340	1156	~DFA8B.tmp	31
PID 1156 wrote to memory of 1340	1156	~DFA8B.tmp	31
PID 1156 wrote to memory of 1340	1156	~DFA8B.tmp	31

C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe
"C:\Users\Admin\AppData\Local\Temp\a3af75b70292fd289be528013bbf9f4d2ddfd89812cf44f772b872e4363c1d94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\nukojiu.exe
  C:\Users\Admin\AppData\Local\Temp\nukojiu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:604

C:\Users\Admin\AppData\Local\Temp\~DFA8B.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA8B.tmp OK
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\jeikyqu.exe
  "C:\Users\Admin\AppData\Local\Temp\jeikyqu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c086a86709433d9ddb23931d92c3ddb9

SHA1
b97dd35218acb36479ef17753d218b1c2962c65c

SHA256
635a102e986eb8845241a2a4585f8de3ad3358727d8b0b5dea4fefc0a42db522

SHA512
eef9e346e1120163709d2abc91338179972c0b312e7c3548a45fe4b7dc364263a0808a6282b217fcad83a6f571c7a401c753d629b49a850833149f8d8d92836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
f9b237198c2b190bc06e0052aad7f29f

SHA1
9280fc439b1eff9101d1fe59285d5862eb1a481b

SHA256
f8efc6c8f6964f0a0ac40d036b2b26738def9ed061f35980bfde1d9e2488abab

SHA512
107692dcb87be079d57ce76fb34308f4e20754e6af0ca49b33c4cfaee7bdce889b88a0dfc42d62dc2a9a5a5b437c1412ca82d42caa67ce29b91c2cce9e1d2f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeikyqu.exe

Filesize
373KB

MD5
da83b7fe9438ccf39ef5c7031d79f0c9

SHA1
f3cf8b6a580a3c86b7802f66627a3b0b065cbc4e

SHA256
95f4a3997a560b3bbd501265ce23d743c39b87e6f5ec9961f5083b1fa907c90e

SHA512
8e1bb0f6568848dc90f4e25e1fc43a08baf19440ef32f276e914f358aa7fce7d02f2f7fb6afec53ae367875c9221bf031a5c2ef306d1d22b718c11e0dcd0fb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nukojiu.exe

Filesize
667KB

MD5
5bdcee0b3b7f20c2814420273cbc5ec9

SHA1
f29fdbee046b32fe04a7dafdc41881755716d14a

SHA256
f64e99bb977244efc10901d7ccd3f25c019d2de3badea8d1a94e697cc60a91ec

SHA512
fa28a725179b61814e9eaae64129558c0688f57d750e3784d551994c1cc408684334b7a6acc6aed1f2b2c56e666b5eabd5c1ae74ea06a7da4b76fc9d4a77e26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nukojiu.exe

Filesize
667KB

MD5
5bdcee0b3b7f20c2814420273cbc5ec9

SHA1
f29fdbee046b32fe04a7dafdc41881755716d14a

SHA256
f64e99bb977244efc10901d7ccd3f25c019d2de3badea8d1a94e697cc60a91ec

SHA512
fa28a725179b61814e9eaae64129558c0688f57d750e3784d551994c1cc408684334b7a6acc6aed1f2b2c56e666b5eabd5c1ae74ea06a7da4b76fc9d4a77e26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA8B.tmp

Filesize
677KB

MD5
fa6108c9c7f6f62c8a2cccf98a130e78

SHA1
c5e776ed9b58718fd538d4877cb13ac75c340f5e

SHA256
dffda38e85d4b33b37ad402ae65b372f1f8d24256d10ffb6786b3b73b94297ce

SHA512
6860f6bf7eedb48f72c4c54a6d4e0ea3a52542f9f928f6f1896b9d8712a3ac98188a487691ab951a84f21daef55b96165192785847eb2084078f1ebf4796ea3a

Download Submit
\Users\Admin\AppData\Local\Temp\jeikyqu.exe

Filesize
373KB

MD5
da83b7fe9438ccf39ef5c7031d79f0c9

SHA1
f3cf8b6a580a3c86b7802f66627a3b0b065cbc4e

SHA256
95f4a3997a560b3bbd501265ce23d743c39b87e6f5ec9961f5083b1fa907c90e

SHA512
8e1bb0f6568848dc90f4e25e1fc43a08baf19440ef32f276e914f358aa7fce7d02f2f7fb6afec53ae367875c9221bf031a5c2ef306d1d22b718c11e0dcd0fb35

Download Submit
\Users\Admin\AppData\Local\Temp\nukojiu.exe

Filesize
667KB

MD5
5bdcee0b3b7f20c2814420273cbc5ec9

SHA1
f29fdbee046b32fe04a7dafdc41881755716d14a

SHA256
f64e99bb977244efc10901d7ccd3f25c019d2de3badea8d1a94e697cc60a91ec

SHA512
fa28a725179b61814e9eaae64129558c0688f57d750e3784d551994c1cc408684334b7a6acc6aed1f2b2c56e666b5eabd5c1ae74ea06a7da4b76fc9d4a77e26e

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA8B.tmp

Filesize
677KB

MD5
fa6108c9c7f6f62c8a2cccf98a130e78

SHA1
c5e776ed9b58718fd538d4877cb13ac75c340f5e

SHA256
dffda38e85d4b33b37ad402ae65b372f1f8d24256d10ffb6786b3b73b94297ce

SHA512
6860f6bf7eedb48f72c4c54a6d4e0ea3a52542f9f928f6f1896b9d8712a3ac98188a487691ab951a84f21daef55b96165192785847eb2084078f1ebf4796ea3a

Download Submit
memory/944-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/944-62-0x0000000001EE0000-0x0000000001FBE000-memory.dmp

Filesize
888KB

Download
memory/944-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/944-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1156-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1156-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1156-78-0x0000000003660000-0x000000000379E000-memory.dmp

Filesize
1.2MB

Download
memory/1340-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1412-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1412-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download