15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba

Analysis

max time kernel
150s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
Size

633KB
MD5

737ecb53912b15bb0af81136411683c0
SHA1

5950bc5f39a2150be583834e9884fbfb2bdaec7b
SHA256

15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba
SHA512

f31927388c821e2fd28490859f683a0438e4fed2dce87329d8dbc80e13b69836fe9e0b73e62b50340f3da8f3aa50a924f68f57a5468618eb20a44b7c1ebf0c03
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1692	javeupb.exe
1972	~DFA52.tmp
1112	duzuyj.exe

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
1692	javeupb.exe
1972	~DFA52.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe
1112	duzuyj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	~DFA52.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1692	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	27
PID 1736 wrote to memory of 1692	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	27
PID 1736 wrote to memory of 1692	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	27
PID 1736 wrote to memory of 1692	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	27
PID 1692 wrote to memory of 1972	1692	javeupb.exe	28
PID 1692 wrote to memory of 1972	1692	javeupb.exe	28
PID 1692 wrote to memory of 1972	1692	javeupb.exe	28
PID 1692 wrote to memory of 1972	1692	javeupb.exe	28
PID 1736 wrote to memory of 1308	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	30
PID 1736 wrote to memory of 1308	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	30
PID 1736 wrote to memory of 1308	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	30
PID 1736 wrote to memory of 1308	1736	15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe	30
PID 1972 wrote to memory of 1112	1972	~DFA52.tmp	31
PID 1972 wrote to memory of 1112	1972	~DFA52.tmp	31
PID 1972 wrote to memory of 1112	1972	~DFA52.tmp	31
PID 1972 wrote to memory of 1112	1972	~DFA52.tmp	31

C:\Users\Admin\AppData\Local\Temp\15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe
"C:\Users\Admin\AppData\Local\Temp\15d87fa63c2d44db960dac1f3849372745f6288d41d8fa844dcf931b951611ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\javeupb.exe
  C:\Users\Admin\AppData\Local\Temp\javeupb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\duzuyj.exe
      "C:\Users\Admin\AppData\Local\Temp\duzuyj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
572b5205275875ab613dbb85d4f68e14

SHA1
38e75dccd978d9950653fc671e4ad969fc0ca27b

SHA256
09ea0b352c8608033a0fa24f93d31bcb600d7bdb15aae8d4b92ec60dcf6fffcb

SHA512
13eb9b9ab04a07c515a3a881892c0e768745cb9ffa1264eda28fac0202dd8804de3412496805229aec0c7d63ce27dbbcdde34866eb8608c7261805264e0c9670

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzuyj.exe

Filesize
395KB

MD5
5134d8e46f7de3d04af0a6ab0e59ff35

SHA1
d78fb352925db112b76012a290ee3e234f35dcce

SHA256
a7cfd059cabe4c812462342ba5f37a877a15e561a29927d0630b45323471ab98

SHA512
b85be6d3dcbe1f3173c1576ab187c6cf98e807958a8dd0cc6e27ba800c79440aa4e02277b651be2a8176e98447221788e3aaaa59dcabfc897e77ec632a0a166c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
2018ec799d8ada2a2e2fc2cff2461267

SHA1
f3d40db06c2cf8fca8d144a62442c494b1b9bdff

SHA256
e666b0f9572ad5b9076ed4d19b9fe6626932f1a18b2b4babb5ab02d2e971c51f

SHA512
76818e7ce0a8565b9971c661ea4ad78639dd92cf71f7b3ce53d07d739edcb672fd0a62e0aa5371eb54413bcd30b44bbf716ab9919c5e1272df7f296bce9178f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\javeupb.exe

Filesize
635KB

MD5
64ac010eb073528c516515b663d9ea1a

SHA1
e2afd4c42fceba3940f81c79c4190bcd690a920b

SHA256
c43ae5008a4a7a5523446010a540013689905a9e9b74a31eca37a3ddc4882b37

SHA512
c3e1838fdfba7d4b13c4614a34329e4ec209b6db12745034e73c0f2bb48e4c1b7c52ac449ef46ed0c93c4d561e78a4e5d95022d29a4a4ed9bc8982e4cb33672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\javeupb.exe

Filesize
635KB

MD5
64ac010eb073528c516515b663d9ea1a

SHA1
e2afd4c42fceba3940f81c79c4190bcd690a920b

SHA256
c43ae5008a4a7a5523446010a540013689905a9e9b74a31eca37a3ddc4882b37

SHA512
c3e1838fdfba7d4b13c4614a34329e4ec209b6db12745034e73c0f2bb48e4c1b7c52ac449ef46ed0c93c4d561e78a4e5d95022d29a4a4ed9bc8982e4cb33672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
638KB

MD5
bc4d1c371bcf7eea2af6d72120fe77dc

SHA1
c295776a0cfd8fc32fc205c100568a55d5497e4b

SHA256
6636090a9c696a61716e15d48bb92d9b350485bc8adc65cc5d18ecbeedd5731b

SHA512
f626c1a65ef1a7caa4d790912bc8b3d05f3b0596baef09a684fbdc151599fa9d978df990b05b2c4ec1fa05cb821f679bf758c098ac0311fa1e03e1f20d392265

Download Submit
\Users\Admin\AppData\Local\Temp\duzuyj.exe

Filesize
395KB

MD5
5134d8e46f7de3d04af0a6ab0e59ff35

SHA1
d78fb352925db112b76012a290ee3e234f35dcce

SHA256
a7cfd059cabe4c812462342ba5f37a877a15e561a29927d0630b45323471ab98

SHA512
b85be6d3dcbe1f3173c1576ab187c6cf98e807958a8dd0cc6e27ba800c79440aa4e02277b651be2a8176e98447221788e3aaaa59dcabfc897e77ec632a0a166c

Download Submit
\Users\Admin\AppData\Local\Temp\javeupb.exe

Filesize
635KB

MD5
64ac010eb073528c516515b663d9ea1a

SHA1
e2afd4c42fceba3940f81c79c4190bcd690a920b

SHA256
c43ae5008a4a7a5523446010a540013689905a9e9b74a31eca37a3ddc4882b37

SHA512
c3e1838fdfba7d4b13c4614a34329e4ec209b6db12745034e73c0f2bb48e4c1b7c52ac449ef46ed0c93c4d561e78a4e5d95022d29a4a4ed9bc8982e4cb33672e

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
638KB

MD5
bc4d1c371bcf7eea2af6d72120fe77dc

SHA1
c295776a0cfd8fc32fc205c100568a55d5497e4b

SHA256
6636090a9c696a61716e15d48bb92d9b350485bc8adc65cc5d18ecbeedd5731b

SHA512
f626c1a65ef1a7caa4d790912bc8b3d05f3b0596baef09a684fbdc151599fa9d978df990b05b2c4ec1fa05cb821f679bf758c098ac0311fa1e03e1f20d392265

Download Submit
memory/1112-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1692-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-71-0x0000000002B60000-0x0000000002C3E000-memory.dmp

Filesize
888KB

Download
memory/1736-68-0x0000000001E70000-0x0000000001F4E000-memory.dmp

Filesize
888KB

Download
memory/1736-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1736-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1736-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1972-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1972-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1972-79-0x0000000003910000-0x0000000003A4E000-memory.dmp

Filesize
1.2MB

Download