586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c

Analysis

max time kernel
187s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe
Size

683KB
MD5

4de5c9bbc4b1c2962ab1ac611bafb9e0
SHA1

f996e54820919e7fb720f5009d2f09d1bca7a84d
SHA256

586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c
SHA512

2f89eaf0bfc0c6e2594b52a343ce49e1c427af5c7aec43f80546eee9c0d08305548a11d33f6616c81aae9ece4e1330644b4dc984fa47c31c45bd572847520908
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
960	xocukog.exe
1520	~DFA72.tmp
672	kabiril.exe

Deletes itself 1 IoCs

pid	Process
1528	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe
960	xocukog.exe
1520	~DFA72.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe
672	kabiril.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	~DFA72.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 960	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	28
PID 1108 wrote to memory of 960	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	28
PID 1108 wrote to memory of 960	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	28
PID 1108 wrote to memory of 960	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	28
PID 960 wrote to memory of 1520	960	xocukog.exe	29
PID 960 wrote to memory of 1520	960	xocukog.exe	29
PID 960 wrote to memory of 1520	960	xocukog.exe	29
PID 960 wrote to memory of 1520	960	xocukog.exe	29
PID 1108 wrote to memory of 1528	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	30
PID 1108 wrote to memory of 1528	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	30
PID 1108 wrote to memory of 1528	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	30
PID 1108 wrote to memory of 1528	1108	586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe	30
PID 1520 wrote to memory of 672	1520	~DFA72.tmp	32
PID 1520 wrote to memory of 672	1520	~DFA72.tmp	32
PID 1520 wrote to memory of 672	1520	~DFA72.tmp	32
PID 1520 wrote to memory of 672	1520	~DFA72.tmp	32

C:\Users\Admin\AppData\Local\Temp\586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe
"C:\Users\Admin\AppData\Local\Temp\586a415e3269f1972f4762fb36bed4c93cad3ae6c41eec7e4cbd71fb4505708c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\xocukog.exe
  C:\Users\Admin\AppData\Local\Temp\xocukog.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\kabiril.exe
      "C:\Users\Admin\AppData\Local\Temp\kabiril.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
966c73fa00aec38fc9cd535ac9abaeec

SHA1
c441d36136db6cc4b55f97976a49b4a63c94c20a

SHA256
af8ba5248444da47e72e30237a0be1420231c088b72e55b02de7fd2cb883c59b

SHA512
57d441ff02260854b624f89c537549363746547bf866c8eabd60800db63c2f9f93741b7e9d80dac582544ffe4261430a8a2ab9f5618f6d64dfdcbfe56a9e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
9fa9f2f37e5ffaee99bf2a5ca4799512

SHA1
24c382ea6370d83c1d5b511f5e1f5bdea7d70d42

SHA256
b82f40525292d5651e7ced6a6be5f0d152275fa79cde1ef573fc93236f6d3472

SHA512
b134644753e4b7ec077d70918b0d852819199555eb997d8c2fb038a956e73579e656abca02d2e1fa088b61454646ea1ab22e2af2b680891007d4dda1a97c4e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\kabiril.exe

Filesize
384KB

MD5
75a895ba29ff4a348980c70b9bf135e4

SHA1
b2a9fd5b4993f9d2fdb27eb67de57ce3759c9980

SHA256
5053387990b451ac2116052b8f9796d790216289c2071815a1be811355164480

SHA512
1186f6e9c21ad99e4700d62293de113725b1d873149fe6b5558d85216c81494e4117fcb5e8174a0f90a2d68c3a2b1eede23526628e4248819daa855a4d848607

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocukog.exe

Filesize
687KB

MD5
4770ddc15584b9ff8e0a0ed04992802c

SHA1
5eb56fd46f1db45f4ebb286fa27215fabb983c4b

SHA256
1aea53386263d4a6586a4f3712e28ac9b4414f7360d1c6d1f68df45cea456e4a

SHA512
7e48f2b785c384fd76612ba9fa753d6f0319c467611dcbc4fb33b590c5048e92c9978744027dcc3fa8999babbefbe7959980b9732d7a0905fa262f9c40cf600b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocukog.exe

Filesize
687KB

MD5
4770ddc15584b9ff8e0a0ed04992802c

SHA1
5eb56fd46f1db45f4ebb286fa27215fabb983c4b

SHA256
1aea53386263d4a6586a4f3712e28ac9b4414f7360d1c6d1f68df45cea456e4a

SHA512
7e48f2b785c384fd76612ba9fa753d6f0319c467611dcbc4fb33b590c5048e92c9978744027dcc3fa8999babbefbe7959980b9732d7a0905fa262f9c40cf600b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA72.tmp

Filesize
692KB

MD5
0c714cbbd3039e8df9a77daa55376b66

SHA1
4d85670bdcf9d5771f31c856ce51e617f0ab7762

SHA256
e2fa519bb51b6f2c88957f713c0aa6d211c4a58ad5d49fc6a5c778e79b37dc8d

SHA512
02edc21ade4f488d9793e47c24ddec7d221a12957f3477b1d7e8defbe937af5ae45968473a37f2abe4da9db4dd4e94e96b2dbfe36aec57fbc1d8b8e65402e049

Download Submit
\Users\Admin\AppData\Local\Temp\kabiril.exe

Filesize
384KB

MD5
75a895ba29ff4a348980c70b9bf135e4

SHA1
b2a9fd5b4993f9d2fdb27eb67de57ce3759c9980

SHA256
5053387990b451ac2116052b8f9796d790216289c2071815a1be811355164480

SHA512
1186f6e9c21ad99e4700d62293de113725b1d873149fe6b5558d85216c81494e4117fcb5e8174a0f90a2d68c3a2b1eede23526628e4248819daa855a4d848607

Download Submit
\Users\Admin\AppData\Local\Temp\xocukog.exe

Filesize
687KB

MD5
4770ddc15584b9ff8e0a0ed04992802c

SHA1
5eb56fd46f1db45f4ebb286fa27215fabb983c4b

SHA256
1aea53386263d4a6586a4f3712e28ac9b4414f7360d1c6d1f68df45cea456e4a

SHA512
7e48f2b785c384fd76612ba9fa753d6f0319c467611dcbc4fb33b590c5048e92c9978744027dcc3fa8999babbefbe7959980b9732d7a0905fa262f9c40cf600b

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA72.tmp

Filesize
692KB

MD5
0c714cbbd3039e8df9a77daa55376b66

SHA1
4d85670bdcf9d5771f31c856ce51e617f0ab7762

SHA256
e2fa519bb51b6f2c88957f713c0aa6d211c4a58ad5d49fc6a5c778e79b37dc8d

SHA512
02edc21ade4f488d9793e47c24ddec7d221a12957f3477b1d7e8defbe937af5ae45968473a37f2abe4da9db4dd4e94e96b2dbfe36aec57fbc1d8b8e65402e049

Download Submit
memory/672-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/960-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/960-71-0x0000000002B60000-0x0000000002C3E000-memory.dmp

Filesize
888KB

Download
memory/960-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1108-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1108-68-0x0000000001F00000-0x0000000001FDE000-memory.dmp

Filesize
888KB

Download
memory/1108-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1108-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-78-0x0000000003670000-0x00000000037AE000-memory.dmp

Filesize
1.2MB

Download