69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6

Analysis

max time kernel
151s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
Size

609KB
MD5

75a31ef65ce6a5f3a94aa9c320ead980
SHA1

ed30fd043b97cbdf916d60c897099a96bcb0e644
SHA256

69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6
SHA512

6036448b36d9a9342699e3a53b823104e0668f98ef1b9631bcb52aa445d8e188b831612490da59d2e47cceda20afecae69150598aca8f464c7c47b23b77ca8b4
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
328	astyjuf.exe
1724	~DFA53.tmp
1884	xehulef.exe

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
328	astyjuf.exe
1724	~DFA53.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe
1884	xehulef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	~DFA53.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 328	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	27
PID 1096 wrote to memory of 328	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	27
PID 1096 wrote to memory of 328	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	27
PID 1096 wrote to memory of 328	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	27
PID 328 wrote to memory of 1724	328	astyjuf.exe	28
PID 328 wrote to memory of 1724	328	astyjuf.exe	28
PID 328 wrote to memory of 1724	328	astyjuf.exe	28
PID 328 wrote to memory of 1724	328	astyjuf.exe	28
PID 1096 wrote to memory of 2028	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	29
PID 1096 wrote to memory of 2028	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	29
PID 1096 wrote to memory of 2028	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	29
PID 1096 wrote to memory of 2028	1096	69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe	29
PID 1724 wrote to memory of 1884	1724	~DFA53.tmp	31
PID 1724 wrote to memory of 1884	1724	~DFA53.tmp	31
PID 1724 wrote to memory of 1884	1724	~DFA53.tmp	31
PID 1724 wrote to memory of 1884	1724	~DFA53.tmp	31

C:\Users\Admin\AppData\Local\Temp\69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe
"C:\Users\Admin\AppData\Local\Temp\69d128d489d053cbfa9616e1987514ce5a58136d7ac11179df8e7451b8fdd5e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\astyjuf.exe
  C:\Users\Admin\AppData\Local\Temp\astyjuf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\xehulef.exe
      "C:\Users\Admin\AppData\Local\Temp\xehulef.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
75f6c935639639c8cab1e6b4f2493ab8

SHA1
e04780b1268c010c9fd517765847a6fad8ec986c

SHA256
645a856e478e5e448565208403f10f2bb0919844854a6088e14a1b2a834c4ff0

SHA512
7ada63ca2781db3ae5ec26a4a67bf3b2a3430bcc7a9f7415629c607fb07c93f8c4a75f78e685b60f6ccc8c60066700bb2732105cbee32d06a5e6fdfd64d4058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\astyjuf.exe

Filesize
612KB

MD5
e66333914f6c09d94f9a87ed08ac3511

SHA1
a10c4da31595b44dd8e7bdcb8fa14e641fc5a46b

SHA256
d4dae59dc362909b189b7144124ada763d3ffe7eb7a9239ea2e7062e72ac8349

SHA512
a61afc9edfd230a438b0b7fe81582fb8597e2b74f064788fec50437413e1a3c3a255a935268286c663910523e7e37506456c26c6a824c0a4690380f579613224

Download Submit
C:\Users\Admin\AppData\Local\Temp\astyjuf.exe

Filesize
612KB

MD5
e66333914f6c09d94f9a87ed08ac3511

SHA1
a10c4da31595b44dd8e7bdcb8fa14e641fc5a46b

SHA256
d4dae59dc362909b189b7144124ada763d3ffe7eb7a9239ea2e7062e72ac8349

SHA512
a61afc9edfd230a438b0b7fe81582fb8597e2b74f064788fec50437413e1a3c3a255a935268286c663910523e7e37506456c26c6a824c0a4690380f579613224

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
48afbedb0a1427311f9c0de93851bf66

SHA1
a68d9b5629013938c043cf0fde77a4e502af214b

SHA256
fb09640da6e3b677a8015fc42d95010bdbc370a5ed827d1f74104bf475bde047

SHA512
9cd9737d0561c69be0fe695aa8c649842e9164266f9bf35d7b2e35b61e2c2c3a580b4c2a0001923c21b7e7d2ef1c3367da80c6ae88d62eabbdb382a0213a0ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xehulef.exe

Filesize
400KB

MD5
31e68f90dfe87fd39333e259619f377b

SHA1
3dc6b9d4747184336506b51f4c2866900bc33715

SHA256
77c1b18b3692c97d900acd41a88d3da00e40b9e2398c6bd69bf8b9c2085f23f1

SHA512
35202cd00dd3515bc9ce71fec8153e87248de3a0d26c60dd668f4a1483696107a92e112a4d96873dda769e3525f01d4baa0eb84e2b810ecb16c5bf34a1f52fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
614KB

MD5
3053a07920fece837abe1949ea522e36

SHA1
5f8fa5cce5f1fcb1032e57bf744f30dc3ce708f1

SHA256
795a0474f50a52ff2c19dbde7e5c200574e66db14d5a89ec5eea0f7788ff2c3e

SHA512
d5855e39c3f1db191a7d38404287e36cd35a999d409a48246118c69df10c481fd746a3f4b30c95ea6dd8811a13f5b59936d7f2d54cf5f4fd83b3a72f277bd6f9

Download Submit
\Users\Admin\AppData\Local\Temp\astyjuf.exe

Filesize
612KB

MD5
e66333914f6c09d94f9a87ed08ac3511

SHA1
a10c4da31595b44dd8e7bdcb8fa14e641fc5a46b

SHA256
d4dae59dc362909b189b7144124ada763d3ffe7eb7a9239ea2e7062e72ac8349

SHA512
a61afc9edfd230a438b0b7fe81582fb8597e2b74f064788fec50437413e1a3c3a255a935268286c663910523e7e37506456c26c6a824c0a4690380f579613224

Download Submit
\Users\Admin\AppData\Local\Temp\xehulef.exe

Filesize
400KB

MD5
31e68f90dfe87fd39333e259619f377b

SHA1
3dc6b9d4747184336506b51f4c2866900bc33715

SHA256
77c1b18b3692c97d900acd41a88d3da00e40b9e2398c6bd69bf8b9c2085f23f1

SHA512
35202cd00dd3515bc9ce71fec8153e87248de3a0d26c60dd668f4a1483696107a92e112a4d96873dda769e3525f01d4baa0eb84e2b810ecb16c5bf34a1f52fe8

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
614KB

MD5
3053a07920fece837abe1949ea522e36

SHA1
5f8fa5cce5f1fcb1032e57bf744f30dc3ce708f1

SHA256
795a0474f50a52ff2c19dbde7e5c200574e66db14d5a89ec5eea0f7788ff2c3e

SHA512
d5855e39c3f1db191a7d38404287e36cd35a999d409a48246118c69df10c481fd746a3f4b30c95ea6dd8811a13f5b59936d7f2d54cf5f4fd83b3a72f277bd6f9

Download Submit
memory/328-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/328-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/328-71-0x0000000002BC0000-0x0000000002C9E000-memory.dmp

Filesize
888KB

Download
memory/1096-68-0x0000000001EE0000-0x0000000001FBE000-memory.dmp

Filesize
888KB

Download
memory/1096-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1096-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1096-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-78-0x00000000035C0000-0x00000000036FE000-memory.dmp

Filesize
1.2MB

Download
memory/1884-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download