7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788

Analysis

max time kernel
151s
max time network
93s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe
Size

703KB
MD5

597d7da854ae4aa8f1c36d6f739efbd0
SHA1

dde7324a7d75f84c97fe9e6eab8e8aae80cd427e
SHA256

7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788
SHA512

7d933ce00a806f2833e4327822e10b23a31ea2c4833e5086a3d54055e368e6a0dd92f716f83187b1d5b3ff664ab2c7b44ba7ed6b98193db0c94b3cb00f21f653
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1744	dumenav.exe
1756	~DFA58.tmp
740	koippu.exe

Deletes itself 1 IoCs

pid	Process
1204	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe
1744	dumenav.exe
1756	~DFA58.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe
740	koippu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	~DFA58.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1744	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	28
PID 2012 wrote to memory of 1744	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	28
PID 2012 wrote to memory of 1744	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	28
PID 2012 wrote to memory of 1744	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	28
PID 1744 wrote to memory of 1756	1744	dumenav.exe	31
PID 1744 wrote to memory of 1756	1744	dumenav.exe	31
PID 1744 wrote to memory of 1756	1744	dumenav.exe	31
PID 1744 wrote to memory of 1756	1744	dumenav.exe	31
PID 2012 wrote to memory of 1204	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	30
PID 2012 wrote to memory of 1204	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	30
PID 2012 wrote to memory of 1204	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	30
PID 2012 wrote to memory of 1204	2012	7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe	30
PID 1756 wrote to memory of 740	1756	~DFA58.tmp	32
PID 1756 wrote to memory of 740	1756	~DFA58.tmp	32
PID 1756 wrote to memory of 740	1756	~DFA58.tmp	32
PID 1756 wrote to memory of 740	1756	~DFA58.tmp	32

C:\Users\Admin\AppData\Local\Temp\7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe
"C:\Users\Admin\AppData\Local\Temp\7d848044611b9c27547b19313a2d12b668ae91c98576733c82995db5a3aa8788.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\dumenav.exe
  C:\Users\Admin\AppData\Local\Temp\dumenav.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\koippu.exe
      "C:\Users\Admin\AppData\Local\Temp\koippu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
7160ea145dc11324f8869f030bdf99dd

SHA1
10b8e78bc61a0637cc626d362a324d7626f31f20

SHA256
481799c9924f83fb0c2e8907d714ff555dafe3ab5c55cfeb320bb82d87fe75ca

SHA512
cf3b28ec095fd8d602e910c867222ad006957dfa2143af93f4c61f638feb190fc91fd8820d7a0a7585b3814cfd103c80e4f7c708ff3a95aec76066eed103d79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dumenav.exe

Filesize
711KB

MD5
50c32e4c07d1ab10c2ef8470cbe056c6

SHA1
b27f9f7f05d819117d1318d14a4c67ea19961ffe

SHA256
b7ce703631531a8f291383ce8e4c8c1e53d220ab8c8b3bb00e6468ccbe159dcd

SHA512
e70451e9a2a32f8bc59f49d54cc2b5825bfd56cc78570bd34fdeaf69e60a98642389941096fcf699c84ddf0f8c2e675d4d9626ae61af6ebff916cb9420523c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\dumenav.exe

Filesize
711KB

MD5
50c32e4c07d1ab10c2ef8470cbe056c6

SHA1
b27f9f7f05d819117d1318d14a4c67ea19961ffe

SHA256
b7ce703631531a8f291383ce8e4c8c1e53d220ab8c8b3bb00e6468ccbe159dcd

SHA512
e70451e9a2a32f8bc59f49d54cc2b5825bfd56cc78570bd34fdeaf69e60a98642389941096fcf699c84ddf0f8c2e675d4d9626ae61af6ebff916cb9420523c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
9aca3c7f5a3cee8a3db1ceecff27a243

SHA1
dcfc205e598de2cef245ffcb516086052cf43c0a

SHA256
6ce563856c89c6c3a38424fa652534db000e17d73b1c0644b28094e77628379c

SHA512
bf09292283f2924c94bdc09cd55afe02244321f7cc26dd2db0dff09bb9d7cc18b4ee0f8012533ae685277e3dafc8491d89083124fbe4326df39de78214b22968

Download Submit
C:\Users\Admin\AppData\Local\Temp\koippu.exe

Filesize
410KB

MD5
c49e8af53200fa1665acd5206cb678dd

SHA1
f50b9d903232251b7474e3bf563657deac3687f9

SHA256
816123f6b5da4388e5e95c7feb45e62130930da4f6b5906bc6a0f346cfc87416

SHA512
7b9636dddc19554e7e140c0ecd7adfdd281cce2c21577f02dbada6c2e08d37ad8514381ad564590861c991f9b531ca805d2ed8964457850c5b6a7815a26a8880

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp

Filesize
719KB

MD5
8e77074400b09e94af681ef51d204193

SHA1
75d16f1c9a8b708ae95432e91555e618fe593c00

SHA256
9c9da7fefd3cd22e4d5a5264489aecd94989266d3a3a148022d6f5d882726334

SHA512
a427ab659a2b1fd781d46cc935fa3f2f28d72f05bb508be174b022488193047cab767ae98c12e2565d6a1d6d682c4437a37a867b0e8b833961577e9ae75d5a0f

Download Submit
\Users\Admin\AppData\Local\Temp\dumenav.exe

Filesize
711KB

MD5
50c32e4c07d1ab10c2ef8470cbe056c6

SHA1
b27f9f7f05d819117d1318d14a4c67ea19961ffe

SHA256
b7ce703631531a8f291383ce8e4c8c1e53d220ab8c8b3bb00e6468ccbe159dcd

SHA512
e70451e9a2a32f8bc59f49d54cc2b5825bfd56cc78570bd34fdeaf69e60a98642389941096fcf699c84ddf0f8c2e675d4d9626ae61af6ebff916cb9420523c46

Download Submit
\Users\Admin\AppData\Local\Temp\koippu.exe

Filesize
410KB

MD5
c49e8af53200fa1665acd5206cb678dd

SHA1
f50b9d903232251b7474e3bf563657deac3687f9

SHA256
816123f6b5da4388e5e95c7feb45e62130930da4f6b5906bc6a0f346cfc87416

SHA512
7b9636dddc19554e7e140c0ecd7adfdd281cce2c21577f02dbada6c2e08d37ad8514381ad564590861c991f9b531ca805d2ed8964457850c5b6a7815a26a8880

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA58.tmp

Filesize
719KB

MD5
8e77074400b09e94af681ef51d204193

SHA1
75d16f1c9a8b708ae95432e91555e618fe593c00

SHA256
9c9da7fefd3cd22e4d5a5264489aecd94989266d3a3a148022d6f5d882726334

SHA512
a427ab659a2b1fd781d46cc935fa3f2f28d72f05bb508be174b022488193047cab767ae98c12e2565d6a1d6d682c4437a37a867b0e8b833961577e9ae75d5a0f

Download Submit
memory/740-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1744-71-0x0000000002CA0000-0x0000000002D7E000-memory.dmp

Filesize
888KB

Download
memory/1744-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1744-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1756-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1756-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1756-76-0x00000000034B0000-0x00000000035EE000-memory.dmp

Filesize
1.2MB

Download
memory/2012-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/2012-68-0x0000000001E50000-0x0000000001F2E000-memory.dmp

Filesize
888KB

Download
memory/2012-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download