82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0

Analysis

max time kernel
150s
max time network
71s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe
Size

670KB
MD5

84c0ca7012d5eecfe169bcc89a8020d0
SHA1

fcd0985671f078cf0e24ea8a114f15d1725a2360
SHA256

82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0
SHA512

1f9b3778fed1003240d745c067d0701c2d66346de937febbacfcf560a4d57098a61b8de76f0df7ff2abce1049b3f3710a72ff26f6751dc9b452f0f770d9ddf0e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1252	nyqyvui.exe
276	~DFA51.tmp
896	dipuwop.exe

Deletes itself 1 IoCs

pid	Process
1560	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe
1252	nyqyvui.exe
276	~DFA51.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe
896	dipuwop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	~DFA51.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1252	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	27
PID 1308 wrote to memory of 1252	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	27
PID 1308 wrote to memory of 1252	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	27
PID 1308 wrote to memory of 1252	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	27
PID 1308 wrote to memory of 1560	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	28
PID 1308 wrote to memory of 1560	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	28
PID 1308 wrote to memory of 1560	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	28
PID 1308 wrote to memory of 1560	1308	82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe	28
PID 1252 wrote to memory of 276	1252	nyqyvui.exe	30
PID 1252 wrote to memory of 276	1252	nyqyvui.exe	30
PID 1252 wrote to memory of 276	1252	nyqyvui.exe	30
PID 1252 wrote to memory of 276	1252	nyqyvui.exe	30
PID 276 wrote to memory of 896	276	~DFA51.tmp	31
PID 276 wrote to memory of 896	276	~DFA51.tmp	31
PID 276 wrote to memory of 896	276	~DFA51.tmp	31
PID 276 wrote to memory of 896	276	~DFA51.tmp	31

C:\Users\Admin\AppData\Local\Temp\82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe
"C:\Users\Admin\AppData\Local\Temp\82043e3fd9922ee295ab24e5fa98aa5b12272e0b4e9b0a4566ebbbdc651fcda0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\nyqyvui.exe
  C:\Users\Admin\AppData\Local\Temp\nyqyvui.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\~DFA51.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA51.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\dipuwop.exe
      "C:\Users\Admin\AppData\Local\Temp\dipuwop.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c9ef838e3064d3c5fe89a98b56759546

SHA1
28db3dd092a2b2df693dfb6dc44db1ba13f303e6

SHA256
1ca4b50aa34380d23ae5589046b77cf99b6573fc62f6ee45b66b22a5d4ff8af9

SHA512
7472a442e1af4e1e184ccf203f9d3b2321e672df687565b6263764f638f21ab261929eab9d6c482f47ad1e3fe5eca323ba4d25c69789d68affe165047849bf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\dipuwop.exe

Filesize
375KB

MD5
b78f05ffa45815e887c40fccdb150650

SHA1
82d364b22207997ae1bb5ec42b2261e1bc9dda49

SHA256
8a2c7ba7fb7155a9878cfaee13934d6333bd7091f9a096d8b043a438e4f18ddb

SHA512
63da366e5c73e253a397d842aad3a21c8dc2fc56e48e42a9cbee78f2e9ac1fbae87407c2a79f755a0d9d38d2b3931afeee6c1d3b766a92f3253a6e0274fc5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
c7f689a079ecc19010c0e73276ed6799

SHA1
7e96c95ba057e5a79c0fc5bb21705c7cea1cbb81

SHA256
61b2b64fb0d45da7b670640581ae66a38a04bbaf7ff1f4ba85cc75d213254d13

SHA512
e17d89345db302bae90157f7dcebfd1817e657d301395f901de6d881ce83737f67eafbd44892d093afcd865e37bb08b092444b9f596921f042b64b0aa4d86f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyqyvui.exe

Filesize
671KB

MD5
f3280b46572d5a192d5b99d9f36720b7

SHA1
2d2a49264ec663c27a094a8a0660fa81552aeaf6

SHA256
044251b60392c027bcab8234ba2ca74bc2b329e476106ed968408464e823b171

SHA512
a4f94c06c36273903fa44bbf2b64819e1c72c0b280a74aebe2fcee095cb8265a6503eef077e4ee7ff1cde5d06b88ee905880746084bbaa4fa1ebbdafe8f4e89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyqyvui.exe

Filesize
671KB

MD5
f3280b46572d5a192d5b99d9f36720b7

SHA1
2d2a49264ec663c27a094a8a0660fa81552aeaf6

SHA256
044251b60392c027bcab8234ba2ca74bc2b329e476106ed968408464e823b171

SHA512
a4f94c06c36273903fa44bbf2b64819e1c72c0b280a74aebe2fcee095cb8265a6503eef077e4ee7ff1cde5d06b88ee905880746084bbaa4fa1ebbdafe8f4e89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA51.tmp

Filesize
672KB

MD5
f7b21d0b409ad354470319b5ce8bb76a

SHA1
98735a4cf79e26941eebca87cc966eff1ea6b245

SHA256
5ac84791b9e2a733e59ca895315794566e122cd81be67c86627e8ed2868246d9

SHA512
8664fbe944c7d30863a20a9adb00297a9d8aa2c82562a71a3d73c613a0822e9048110726e1b1620b4431171df11f896fe02fd37736df3618229612df0a1899ac

Download Submit
\Users\Admin\AppData\Local\Temp\dipuwop.exe

Filesize
375KB

MD5
b78f05ffa45815e887c40fccdb150650

SHA1
82d364b22207997ae1bb5ec42b2261e1bc9dda49

SHA256
8a2c7ba7fb7155a9878cfaee13934d6333bd7091f9a096d8b043a438e4f18ddb

SHA512
63da366e5c73e253a397d842aad3a21c8dc2fc56e48e42a9cbee78f2e9ac1fbae87407c2a79f755a0d9d38d2b3931afeee6c1d3b766a92f3253a6e0274fc5654

Download Submit
\Users\Admin\AppData\Local\Temp\nyqyvui.exe

Filesize
671KB

MD5
f3280b46572d5a192d5b99d9f36720b7

SHA1
2d2a49264ec663c27a094a8a0660fa81552aeaf6

SHA256
044251b60392c027bcab8234ba2ca74bc2b329e476106ed968408464e823b171

SHA512
a4f94c06c36273903fa44bbf2b64819e1c72c0b280a74aebe2fcee095cb8265a6503eef077e4ee7ff1cde5d06b88ee905880746084bbaa4fa1ebbdafe8f4e89d

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA51.tmp

Filesize
672KB

MD5
f7b21d0b409ad354470319b5ce8bb76a

SHA1
98735a4cf79e26941eebca87cc966eff1ea6b245

SHA256
5ac84791b9e2a733e59ca895315794566e122cd81be67c86627e8ed2868246d9

SHA512
8664fbe944c7d30863a20a9adb00297a9d8aa2c82562a71a3d73c613a0822e9048110726e1b1620b4431171df11f896fe02fd37736df3618229612df0a1899ac

Download Submit
memory/276-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/276-79-0x0000000003610000-0x000000000374E000-memory.dmp

Filesize
1.2MB

Download
memory/276-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/896-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1252-70-0x0000000002C60000-0x0000000002D3E000-memory.dmp

Filesize
888KB

Download
memory/1252-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1252-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1308-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1308-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1308-63-0x0000000000670000-0x000000000074E000-memory.dmp

Filesize
888KB

Download