58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a

Analysis

max time kernel
151s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe
Size

637KB
MD5

a302ebbb33d12c215ed1ad9e7817e370
SHA1

0fc0cc830c1c76779d3a4f1d4ea7511854b8c95e
SHA256

58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a
SHA512

9e5dfe8e4574d5b93d2933b105fbed16793d398f30aeb748f43e93703bb350bf778bcd60adc8ec9f8b8eb032cefd825812eeb680107627bd743fa07b86661ff6
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
688	adcipae.exe
2032	~DFA4D.tmp
1080	ginuzoe.exe

Deletes itself 1 IoCs

pid	Process
1380	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe
688	adcipae.exe
2032	~DFA4D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe
1080	ginuzoe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	~DFA4D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 688	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	28
PID 1384 wrote to memory of 688	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	28
PID 1384 wrote to memory of 688	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	28
PID 1384 wrote to memory of 688	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	28
PID 688 wrote to memory of 2032	688	adcipae.exe	29
PID 688 wrote to memory of 2032	688	adcipae.exe	29
PID 688 wrote to memory of 2032	688	adcipae.exe	29
PID 688 wrote to memory of 2032	688	adcipae.exe	29
PID 1384 wrote to memory of 1380	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	31
PID 1384 wrote to memory of 1380	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	31
PID 1384 wrote to memory of 1380	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	31
PID 1384 wrote to memory of 1380	1384	58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe	31
PID 2032 wrote to memory of 1080	2032	~DFA4D.tmp	32
PID 2032 wrote to memory of 1080	2032	~DFA4D.tmp	32
PID 2032 wrote to memory of 1080	2032	~DFA4D.tmp	32
PID 2032 wrote to memory of 1080	2032	~DFA4D.tmp	32

C:\Users\Admin\AppData\Local\Temp\58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe
"C:\Users\Admin\AppData\Local\Temp\58822841c43f863ed444ce84e82806beb74160b2386f69b891583b26ae959a7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\adcipae.exe
  C:\Users\Admin\AppData\Local\Temp\adcipae.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\ginuzoe.exe
      "C:\Users\Admin\AppData\Local\Temp\ginuzoe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
ba6d02b6c7bcb1c4c9b343a933de8c2a

SHA1
381e2ba5e41705aec4cd894a7a7a0d6ce984ae09

SHA256
00be712f57955bf0dce6a8d01f7ec312f6cdb3bc19998f36328d409798a2b376

SHA512
5f2fc6c2e2dad45a2c169ea49100e5500671e421bf27645c2e84735d30f85c1f2bda71e160ccce17334dc005eb6f4950abef0e3c659649b34c40f574bbe7537a

Download Submit
C:\Users\Admin\AppData\Local\Temp\adcipae.exe

Filesize
644KB

MD5
69c7b52ac91b2185b47a9f55a52c1a52

SHA1
e716aa88023863edbbb5f60862ad8e2f1da5a485

SHA256
0ad14ee9018bc2515d4230e83c0df506d5a307e98069e9ba35e8b7df011e62d4

SHA512
f0c8c212dcc377a222e5208dbe33b311772368e96d9a0b7a70c9ab3fac59d17b91e8ecf1fa03f4b0e5e99c8a5db28dc964909b777cf4b20f10385a9bf72b30dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\adcipae.exe

Filesize
644KB

MD5
69c7b52ac91b2185b47a9f55a52c1a52

SHA1
e716aa88023863edbbb5f60862ad8e2f1da5a485

SHA256
0ad14ee9018bc2515d4230e83c0df506d5a307e98069e9ba35e8b7df011e62d4

SHA512
f0c8c212dcc377a222e5208dbe33b311772368e96d9a0b7a70c9ab3fac59d17b91e8ecf1fa03f4b0e5e99c8a5db28dc964909b777cf4b20f10385a9bf72b30dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ginuzoe.exe

Filesize
387KB

MD5
f0de3fcbb790e08af1d03fb77d280f07

SHA1
9654377ecb25a8da06af891f4d4642fe980f06fb

SHA256
64d0b24944beff59b0649d05b1dc6aee1b66e0fe901539e19d6efc2f4c8be6ea

SHA512
bf747da1e965febcce16bb6a1ceee158143c0c547a383878c96e76c44746b7eb6e640c5ce84676c6ddf686386148fc61934ed075edf0edfe2d76415278663de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
f7c07a965447d339753ba906ccbd0a91

SHA1
2859058b4f9c0ce7d73d10e8aa5937874737bff4

SHA256
5c6de457cbeac17126b54e10f174e19764a7dc18cb50eb0a70fad79b61c48cb5

SHA512
cf8c77a9416ba11779cab40e8f69acac9ae5aa0608ca4bf70004c34b461719e70e34eca8cc074bfce05b3140f7b2056f2485ad9433a3ca696c66be7c00632e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
652KB

MD5
961e5ee28c15268f9a86e48419b1c073

SHA1
f72a632d43eb00ebcaf6430acefd02e306f08cae

SHA256
3b59995ec438d7438d05ccc4ee47cc7ce59ec0657e4a4c28f93a755279bf763f

SHA512
70f6527d3ba50c56d6973b98e73993ec8f8190a3f72a0bc4cf35e3ef407809f08934d2edd63381fbc8ddeb4b1c676651db0d097e9a7599b00ffa6c9e15a32cc4

Download Submit
\Users\Admin\AppData\Local\Temp\adcipae.exe

Filesize
644KB

MD5
69c7b52ac91b2185b47a9f55a52c1a52

SHA1
e716aa88023863edbbb5f60862ad8e2f1da5a485

SHA256
0ad14ee9018bc2515d4230e83c0df506d5a307e98069e9ba35e8b7df011e62d4

SHA512
f0c8c212dcc377a222e5208dbe33b311772368e96d9a0b7a70c9ab3fac59d17b91e8ecf1fa03f4b0e5e99c8a5db28dc964909b777cf4b20f10385a9bf72b30dc

Download Submit
\Users\Admin\AppData\Local\Temp\ginuzoe.exe

Filesize
387KB

MD5
f0de3fcbb790e08af1d03fb77d280f07

SHA1
9654377ecb25a8da06af891f4d4642fe980f06fb

SHA256
64d0b24944beff59b0649d05b1dc6aee1b66e0fe901539e19d6efc2f4c8be6ea

SHA512
bf747da1e965febcce16bb6a1ceee158143c0c547a383878c96e76c44746b7eb6e640c5ce84676c6ddf686386148fc61934ed075edf0edfe2d76415278663de8

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
652KB

MD5
961e5ee28c15268f9a86e48419b1c073

SHA1
f72a632d43eb00ebcaf6430acefd02e306f08cae

SHA256
3b59995ec438d7438d05ccc4ee47cc7ce59ec0657e4a4c28f93a755279bf763f

SHA512
70f6527d3ba50c56d6973b98e73993ec8f8190a3f72a0bc4cf35e3ef407809f08934d2edd63381fbc8ddeb4b1c676651db0d097e9a7599b00ffa6c9e15a32cc4

Download Submit
memory/688-71-0x0000000002B20000-0x0000000002BFE000-memory.dmp

Filesize
888KB

Download
memory/688-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/688-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1080-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1384-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1384-68-0x0000000001EE0000-0x0000000001FBE000-memory.dmp

Filesize
888KB

Download
memory/1384-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1384-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-79-0x0000000003580000-0x00000000036BE000-memory.dmp

Filesize
1.2MB

Download
memory/2032-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download