4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39

Analysis

max time kernel
152s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
Size

654KB
MD5

5374d956a84e3f6ebcf184a0ce91b880
SHA1

cd7baab7d897de1d61dbd45fd6e114ff7757ca5b
SHA256

4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39
SHA512

c13fb7372d0388a69a2861cf1dcc1197f3a4e0b06854866c1b831a557c70768e562642350f9422bed2be1b643683599d594f5c1c7caf1ce476cab6fd06c727bd
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1392	motope.exe
1060	~DFA60.tmp
1048	temede.exe

Deletes itself 1 IoCs

pid	Process
1020	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
1392	motope.exe
1060	~DFA60.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe
1048	temede.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	~DFA60.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1392	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	27
PID 1476 wrote to memory of 1392	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	27
PID 1476 wrote to memory of 1392	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	27
PID 1476 wrote to memory of 1392	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	27
PID 1392 wrote to memory of 1060	1392	motope.exe	28
PID 1392 wrote to memory of 1060	1392	motope.exe	28
PID 1392 wrote to memory of 1060	1392	motope.exe	28
PID 1392 wrote to memory of 1060	1392	motope.exe	28
PID 1476 wrote to memory of 1020	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	29
PID 1476 wrote to memory of 1020	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	29
PID 1476 wrote to memory of 1020	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	29
PID 1476 wrote to memory of 1020	1476	4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe	29
PID 1060 wrote to memory of 1048	1060	~DFA60.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA60.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA60.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA60.tmp	31

C:\Users\Admin\AppData\Local\Temp\4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe
"C:\Users\Admin\AppData\Local\Temp\4f1f10613df6529b041540792d811c439c8b00b838b722d80385b98de3cdfa39.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\motope.exe
  C:\Users\Admin\AppData\Local\Temp\motope.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\~DFA60.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA60.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\temede.exe
      "C:\Users\Admin\AppData\Local\Temp\temede.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e48944954074b1d2e17502832e511b17

SHA1
c7c91e4e79a6bad4364726d859b33c69bcc5543f

SHA256
932138b3d6e0acf3eda6f5227be388c2f26f594ac0ad777e588e77f91d4c9b6a

SHA512
fb14b1844dcba4c724adfe3dfcb34c9f9173ef97079e5e32b32a3516d74d2ad0ef59f01d0a994bea12a0da22240f8a79fd1e9773dfae57f65c33fd981b9820fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e39fbdbb036fb0ecf166efe03c985293

SHA1
dc11adca838c9fc9716743a005cae64dab8e0864

SHA256
5cbb9fe7805a3c3a757d8f70e50a19bed7a6c02bc73f3223874dc49bb8b5d493

SHA512
34102e96a04d176be4d82ff3b11bf39fba84fe6ef8f97953119daed65f5e2d1f6af478b5a7fb1d1dc898a68dc326ab68ea570e7687ddca0f08b22d73eb71dd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\motope.exe

Filesize
660KB

MD5
e5caebfd427d6d5a03d312ee905fa083

SHA1
d2c4dbd2299f95048dd6a1e7df49dfb09acf80c0

SHA256
8b220d7e98071021c28cad6ee9d8175956e040da8b4b8ef61eb587d37a335190

SHA512
438ac3cae90b868c678b18c2718a3ca943e94932da7fec169d8e4bdd394836a42f05445059451c47106174711851b3c9418abc256a45788a40060036c92ed657

Download Submit
C:\Users\Admin\AppData\Local\Temp\motope.exe

Filesize
660KB

MD5
e5caebfd427d6d5a03d312ee905fa083

SHA1
d2c4dbd2299f95048dd6a1e7df49dfb09acf80c0

SHA256
8b220d7e98071021c28cad6ee9d8175956e040da8b4b8ef61eb587d37a335190

SHA512
438ac3cae90b868c678b18c2718a3ca943e94932da7fec169d8e4bdd394836a42f05445059451c47106174711851b3c9418abc256a45788a40060036c92ed657

Download Submit
C:\Users\Admin\AppData\Local\Temp\temede.exe

Filesize
411KB

MD5
4ec903759dbf240b07b35dc8513ad3da

SHA1
7c131eec648e2a53dc115a68d16b8e0063e0e8f5

SHA256
e3d18bd5052d17ff4d53c09b64b6f5ae61b9c31662b2cadba5edc324e62167c2

SHA512
64028b58b658d16a5b926de7726c27a0b718c26985b77f865867613ebf21c670501997fec4595d77f315c9182500ff83d77a66ca247e314ef53eaa2d7bf9d04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA60.tmp

Filesize
667KB

MD5
6e5d3f03762cac83876e74f6d838d572

SHA1
ec64407b6d82226934f9f823dcb827097a143aa8

SHA256
c1c8701cb74cb555b577fa2b79498ea2b439e2a1c0fb1725d2934f414c7b0139

SHA512
a8cbf8e6c05b88b0211282665bb7b78324e67fe201130ea99dafbcbde01de99e646045b4ee0be61fa5cc63a7130b67b115c681d881bbc9cec9685f0ef74f10da

Download Submit
\Users\Admin\AppData\Local\Temp\motope.exe

Filesize
660KB

MD5
e5caebfd427d6d5a03d312ee905fa083

SHA1
d2c4dbd2299f95048dd6a1e7df49dfb09acf80c0

SHA256
8b220d7e98071021c28cad6ee9d8175956e040da8b4b8ef61eb587d37a335190

SHA512
438ac3cae90b868c678b18c2718a3ca943e94932da7fec169d8e4bdd394836a42f05445059451c47106174711851b3c9418abc256a45788a40060036c92ed657

Download Submit
\Users\Admin\AppData\Local\Temp\temede.exe

Filesize
411KB

MD5
4ec903759dbf240b07b35dc8513ad3da

SHA1
7c131eec648e2a53dc115a68d16b8e0063e0e8f5

SHA256
e3d18bd5052d17ff4d53c09b64b6f5ae61b9c31662b2cadba5edc324e62167c2

SHA512
64028b58b658d16a5b926de7726c27a0b718c26985b77f865867613ebf21c670501997fec4595d77f315c9182500ff83d77a66ca247e314ef53eaa2d7bf9d04f

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA60.tmp

Filesize
667KB

MD5
6e5d3f03762cac83876e74f6d838d572

SHA1
ec64407b6d82226934f9f823dcb827097a143aa8

SHA256
c1c8701cb74cb555b577fa2b79498ea2b439e2a1c0fb1725d2934f414c7b0139

SHA512
a8cbf8e6c05b88b0211282665bb7b78324e67fe201130ea99dafbcbde01de99e646045b4ee0be61fa5cc63a7130b67b115c681d881bbc9cec9685f0ef74f10da

Download Submit
memory/1048-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1060-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1060-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1060-78-0x0000000003640000-0x000000000377E000-memory.dmp

Filesize
1.2MB

Download
memory/1392-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1392-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1476-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1476-61-0x0000000001E40000-0x0000000001F1E000-memory.dmp

Filesize
888KB

Download
memory/1476-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download