0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22

Analysis

max time kernel
152s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
Size

601KB
MD5

5b74956b9e58e44f86b882672967a5f0
SHA1

5e6a2d2686f72a4eecfd95a4a85a6097f46060a0
SHA256

0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22
SHA512

87e5961e97c4eff458a2ca2406144744516af5bc174e1e953e0ceeb0fa7eb5041873fc87022ca7c342cd76e3cdf47e9eb8ba073640f6a974a29ffdcf9baafc04
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1956	fisosoj.exe
912	~DFA5D.tmp
1220	igzisrj.exe

Deletes itself 1 IoCs

pid	Process
1480	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
1956	fisosoj.exe
912	~DFA5D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe
1220	igzisrj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	~DFA5D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1956	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	28
PID 876 wrote to memory of 1956	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	28
PID 876 wrote to memory of 1956	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	28
PID 876 wrote to memory of 1956	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	28
PID 1956 wrote to memory of 912	1956	fisosoj.exe	29
PID 1956 wrote to memory of 912	1956	fisosoj.exe	29
PID 1956 wrote to memory of 912	1956	fisosoj.exe	29
PID 1956 wrote to memory of 912	1956	fisosoj.exe	29
PID 876 wrote to memory of 1480	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	30
PID 876 wrote to memory of 1480	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	30
PID 876 wrote to memory of 1480	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	30
PID 876 wrote to memory of 1480	876	0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe	30
PID 912 wrote to memory of 1220	912	~DFA5D.tmp	32
PID 912 wrote to memory of 1220	912	~DFA5D.tmp	32
PID 912 wrote to memory of 1220	912	~DFA5D.tmp	32
PID 912 wrote to memory of 1220	912	~DFA5D.tmp	32

C:\Users\Admin\AppData\Local\Temp\0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe
"C:\Users\Admin\AppData\Local\Temp\0ff6fff3d90128804210326e3001c3b96f0022d895b4b6e0061c01c22c646b22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\fisosoj.exe
  C:\Users\Admin\AppData\Local\Temp\fisosoj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\igzisrj.exe
      "C:\Users\Admin\AppData\Local\Temp\igzisrj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
01ffb4c18f4ce85b82046d7ae17a1093

SHA1
0bdc813c485870312056a682494d442472f2e4e6

SHA256
35815e11f1a25b3f3c5b319517a13fa2a51cef7506793afa3960a1736659de07

SHA512
672eea9331a36dc546ee6d15ca2fc6079c0d4fa3b9449dfb09d1644c662bef32a76c156a02eacef365b8683a3ddaf1c61fce0cbd6f8d7d8f521fbbb4a4a36f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fisosoj.exe

Filesize
604KB

MD5
5863595eb885eb5d6bfb28a96e545e97

SHA1
99299e6ff79c1248e31620e602d5e517650880c5

SHA256
e7bdeefd6d5f4df17f2ec371643e854d4c7d3f124de065650ee007ae0b04fffd

SHA512
5d963fc42814e745309688b036bd20feecc32d4d229f550a98aa173287e677d32da2bd4dfdf55d9d1772ef4815352284f8ca0d48d6e7dabd6f9cd058fb34ff8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fisosoj.exe

Filesize
604KB

MD5
5863595eb885eb5d6bfb28a96e545e97

SHA1
99299e6ff79c1248e31620e602d5e517650880c5

SHA256
e7bdeefd6d5f4df17f2ec371643e854d4c7d3f124de065650ee007ae0b04fffd

SHA512
5d963fc42814e745309688b036bd20feecc32d4d229f550a98aa173287e677d32da2bd4dfdf55d9d1772ef4815352284f8ca0d48d6e7dabd6f9cd058fb34ff8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
482a42b56a0d37b0500250c8817ce391

SHA1
12f517831c505c0b8198b47ff22816f0bffa3529

SHA256
fd0565efc5ac581ad76b5def848b64104a5bd55a3ad13c6463d244ed43efa484

SHA512
1757d2db8ad03da41c0769eab13981d656816317c422062dc63d8f75396aac9ee34db7f571fc816710234ab48566ebc7a00ba72f92dddd7c08a20aa03f07b4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\igzisrj.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
607KB

MD5
9ea6e2187435386e301aef8f64dfed71

SHA1
b44d05fab5c0b0449c3d217eaf37eb577d683e80

SHA256
beb5efbaf50dd0898d4bba44903f7ba71d2cfe63fdb9efc4dd3153bed62a340e

SHA512
a63b33fbb1475105f22f4afca2e99bc841d88677b9df5cb915bd7493586fccf36f3a4d2ad6ee9085b8fca0cc002d54f9a1d2f2a0079fc66ceb994e981d9fb4fe

Download Submit
\Users\Admin\AppData\Local\Temp\fisosoj.exe

Filesize
604KB

MD5
5863595eb885eb5d6bfb28a96e545e97

SHA1
99299e6ff79c1248e31620e602d5e517650880c5

SHA256
e7bdeefd6d5f4df17f2ec371643e854d4c7d3f124de065650ee007ae0b04fffd

SHA512
5d963fc42814e745309688b036bd20feecc32d4d229f550a98aa173287e677d32da2bd4dfdf55d9d1772ef4815352284f8ca0d48d6e7dabd6f9cd058fb34ff8f

Download Submit
\Users\Admin\AppData\Local\Temp\igzisrj.exe

Filesize
370KB

MD5
f9cc94a4f3b056e04ccc1c39010c9658

SHA1
86be6c257e5483bae28e9531259735ea09525349

SHA256
29a518cd45e1a11f47443a5a598416eded6bc8c73849b2322a9828e0818d91e3

SHA512
724a2d33ddfee4f5c079f4af046f1c721cd1f73a43d9938aace58dbd1c64ffc4eb8d094978a79b75488d973eccbafdb8b491c5c2c1c431edb68308d63da3755e

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
607KB

MD5
9ea6e2187435386e301aef8f64dfed71

SHA1
b44d05fab5c0b0449c3d217eaf37eb577d683e80

SHA256
beb5efbaf50dd0898d4bba44903f7ba71d2cfe63fdb9efc4dd3153bed62a340e

SHA512
a63b33fbb1475105f22f4afca2e99bc841d88677b9df5cb915bd7493586fccf36f3a4d2ad6ee9085b8fca0cc002d54f9a1d2f2a0079fc66ceb994e981d9fb4fe

Download Submit
memory/876-68-0x0000000001DD0000-0x0000000001EAE000-memory.dmp

Filesize
888KB

Download
memory/876-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/876-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/876-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-76-0x0000000003720000-0x000000000385E000-memory.dmp

Filesize
1.2MB

Download
memory/1220-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1956-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1956-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1956-71-0x0000000002D00000-0x0000000002DDE000-memory.dmp

Filesize
888KB

Download