8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa

Analysis

max time kernel
172s
max time network
98s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe
Size

616KB
MD5

539199a218f05696056634c64b83ea20
SHA1

abd6307630af63f946f791b017f331a96587ca1e
SHA256

8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa
SHA512

84a7c001d7a35feded2b7f59dd726a400a1782ab13e5851eeecce3d7662d20e6d25dd237cda9e7b5b9f668d0c1a9f6d00413a703be2754671d1154f0c7d46804
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
952	lynefia.exe
2028	~DFA67.tmp
568	ivodrie.exe

Deletes itself 1 IoCs

pid	Process
1436	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe
952	lynefia.exe
2028	~DFA67.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe
568	ivodrie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	~DFA67.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 952	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	27
PID 1456 wrote to memory of 952	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	27
PID 1456 wrote to memory of 952	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	27
PID 1456 wrote to memory of 952	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	27
PID 1456 wrote to memory of 1436	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	28
PID 1456 wrote to memory of 1436	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	28
PID 1456 wrote to memory of 1436	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	28
PID 1456 wrote to memory of 1436	1456	8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe	28
PID 952 wrote to memory of 2028	952	lynefia.exe	30
PID 952 wrote to memory of 2028	952	lynefia.exe	30
PID 952 wrote to memory of 2028	952	lynefia.exe	30
PID 952 wrote to memory of 2028	952	lynefia.exe	30
PID 2028 wrote to memory of 568	2028	~DFA67.tmp	31
PID 2028 wrote to memory of 568	2028	~DFA67.tmp	31
PID 2028 wrote to memory of 568	2028	~DFA67.tmp	31
PID 2028 wrote to memory of 568	2028	~DFA67.tmp	31

C:\Users\Admin\AppData\Local\Temp\8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe
"C:\Users\Admin\AppData\Local\Temp\8968f4f9f5a6afc7fa8855fcd1dc8b6f151ff164a8025d51e381ac990def33aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\lynefia.exe
  C:\Users\Admin\AppData\Local\Temp\lynefia.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\~DFA67.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA67.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\ivodrie.exe
      "C:\Users\Admin\AppData\Local\Temp\ivodrie.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
1c96943f25ae83ed369246a1a957c939

SHA1
9d826e3b317e532f57ad954ba0652b714a322c4d

SHA256
69bb2d3ce84880043e643a2b14b1c7e927fa5e75059f642f95b4277779172053

SHA512
8f9bf9e253c203756b85d4fd8559a3f2248a442c168298414aaf3b5f0ec37022937fb9b729be9dafda8769d3b1caca5f64d6331734a79c2aff14eeba7475a36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
5289b40389ebdf5696dac43f69756dfb

SHA1
f2cb96d10b98885726c38ba6578692386aa3eff3

SHA256
a3648d2c5119ceb4d7a131c6aa745691e17c71d775d36d36e37cc69e0a03d49e

SHA512
77ddd07b8b2a169ad357e0cde56ae1232e38c05bdf8609247c1ba818c802da680a2eb0f5f6a2f19f202465c4c5956fa3e4cd0c5f8248dd88bb55f1997c6d715f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivodrie.exe

Filesize
414KB

MD5
5ece6365b0b97e83cdde566b6cf502c6

SHA1
3f55c09f40677ba68aa3abf30ec6f03b4e67fec7

SHA256
e9b216fa466c247b4442ad614b5092b68e0e36f818d3f03199a9a1229a5d8825

SHA512
c67ac031f3a1a66d0de5c6ceed03249bf1e543d10053648c15066dcd0905d209dc950d90300e57e529e4c2fa5b4e633cecbab658effb070d1e57f06ef899da10

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynefia.exe

Filesize
619KB

MD5
aa5c43468693251e5b2a51f199e6a8c5

SHA1
8e940d56d6d6a80db203e4051162b48215a8b08f

SHA256
b8b7da5ad11d9a49b0ba5ff5b2974d814a7959f85a80d9cc5f4b478707c22704

SHA512
553d0806eefe468a0dcead06e88bad1db3d3bf7e0d8126d6de7a189a731e407a459ccc52af38ae5a5cf2c6a29cc6302cd134e7144af815466b818360d3825a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynefia.exe

Filesize
619KB

MD5
aa5c43468693251e5b2a51f199e6a8c5

SHA1
8e940d56d6d6a80db203e4051162b48215a8b08f

SHA256
b8b7da5ad11d9a49b0ba5ff5b2974d814a7959f85a80d9cc5f4b478707c22704

SHA512
553d0806eefe468a0dcead06e88bad1db3d3bf7e0d8126d6de7a189a731e407a459ccc52af38ae5a5cf2c6a29cc6302cd134e7144af815466b818360d3825a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA67.tmp

Filesize
622KB

MD5
684580e0ba15f4df82b00121b9aa8b4c

SHA1
1a67c8687cb09207542914b14e4652a329a3d150

SHA256
d3036afec5cfebb9bd6c54792c98b81b2287a0441fedf631ceffef0430a09fc9

SHA512
7193522bf7b80c04d9b0fc72d065606cc3bfd7f3ea89dc9b58be4e5bb62c084067ba7c557efa21399dc41b12480b646d37a0ef19723e332e4480e26f87c00447

Download Submit
\Users\Admin\AppData\Local\Temp\ivodrie.exe

Filesize
414KB

MD5
5ece6365b0b97e83cdde566b6cf502c6

SHA1
3f55c09f40677ba68aa3abf30ec6f03b4e67fec7

SHA256
e9b216fa466c247b4442ad614b5092b68e0e36f818d3f03199a9a1229a5d8825

SHA512
c67ac031f3a1a66d0de5c6ceed03249bf1e543d10053648c15066dcd0905d209dc950d90300e57e529e4c2fa5b4e633cecbab658effb070d1e57f06ef899da10

Download Submit
\Users\Admin\AppData\Local\Temp\lynefia.exe

Filesize
619KB

MD5
aa5c43468693251e5b2a51f199e6a8c5

SHA1
8e940d56d6d6a80db203e4051162b48215a8b08f

SHA256
b8b7da5ad11d9a49b0ba5ff5b2974d814a7959f85a80d9cc5f4b478707c22704

SHA512
553d0806eefe468a0dcead06e88bad1db3d3bf7e0d8126d6de7a189a731e407a459ccc52af38ae5a5cf2c6a29cc6302cd134e7144af815466b818360d3825a7a

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA67.tmp

Filesize
622KB

MD5
684580e0ba15f4df82b00121b9aa8b4c

SHA1
1a67c8687cb09207542914b14e4652a329a3d150

SHA256
d3036afec5cfebb9bd6c54792c98b81b2287a0441fedf631ceffef0430a09fc9

SHA512
7193522bf7b80c04d9b0fc72d065606cc3bfd7f3ea89dc9b58be4e5bb62c084067ba7c557efa21399dc41b12480b646d37a0ef19723e332e4480e26f87c00447

Download Submit
memory/568-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/952-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/952-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1456-64-0x0000000000670000-0x000000000074E000-memory.dmp

Filesize
888KB

Download
memory/1456-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1456-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1456-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2028-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2028-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2028-77-0x00000000038D0000-0x0000000003A0E000-memory.dmp

Filesize
1.2MB

Download