c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727

Analysis

max time kernel
153s
max time network
76s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe
Size

678KB
MD5

932eeb5d6401fae58ec8219177c9c520
SHA1

07508643763880ea970edf5cd4b7abd466255b41
SHA256

c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727
SHA512

d37df196ff1e35f6dc89d20d21caca86e078f27f34f1ca7374378c4b2426800c85e6b4a2cc168b2f9ad4717fad03c0954b40b9287382e64fec93a30a45409ca0
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
840	avbyyqn.exe
1528	~DFA5C.tmp
1376	akvopon.exe

Deletes itself 1 IoCs

pid	Process
1520	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe
840	avbyyqn.exe
1528	~DFA5C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe
1376	akvopon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	~DFA5C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 840	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	27
PID 1340 wrote to memory of 840	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	27
PID 1340 wrote to memory of 840	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	27
PID 1340 wrote to memory of 840	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	27
PID 840 wrote to memory of 1528	840	avbyyqn.exe	28
PID 840 wrote to memory of 1528	840	avbyyqn.exe	28
PID 840 wrote to memory of 1528	840	avbyyqn.exe	28
PID 840 wrote to memory of 1528	840	avbyyqn.exe	28
PID 1340 wrote to memory of 1520	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	29
PID 1340 wrote to memory of 1520	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	29
PID 1340 wrote to memory of 1520	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	29
PID 1340 wrote to memory of 1520	1340	c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe	29
PID 1528 wrote to memory of 1376	1528	~DFA5C.tmp	31
PID 1528 wrote to memory of 1376	1528	~DFA5C.tmp	31
PID 1528 wrote to memory of 1376	1528	~DFA5C.tmp	31
PID 1528 wrote to memory of 1376	1528	~DFA5C.tmp	31

C:\Users\Admin\AppData\Local\Temp\c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe
"C:\Users\Admin\AppData\Local\Temp\c3498a4d4dacedd1c95c92b6a43251a679208354f078e0a2f6254af3a0b67727.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\avbyyqn.exe
  C:\Users\Admin\AppData\Local\Temp\avbyyqn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\akvopon.exe
      "C:\Users\Admin\AppData\Local\Temp\akvopon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
51619786dc345c869513d0491a8f9a6e

SHA1
3ad05744099a4fdb41791da30698ad6a6d1879ea

SHA256
7833f6c3672f41d7b7a73641e208b1f184071b95b9d2d9a71b2037a3364d398a

SHA512
2ed6676dd3f524675293025a56156c1a6cc1548d5b3cee27d4e178509135ca645c839ecf3576cb096dba2d256c73575edd3783c271341665495acd922dfb6e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\akvopon.exe

Filesize
396KB

MD5
6687614576858bce101f3bfa201b906c

SHA1
948ce97954cc3725a16be9344d9f73028b31d3be

SHA256
5536b5825dbdd0ac098242f5c4df2911aaeaaed6294c668e19e1947f618fddd0

SHA512
b0fdda6c0821cee92d3800f44ee37be59e10cf65d42c7896eb36015b933954275c7760de20b0619a5fdce9357ac55145c00f73aa9cad68e135760c96fb9964ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\avbyyqn.exe

Filesize
680KB

MD5
c10ca94cb744900b83d2fbb1ec7978bd

SHA1
db6cda5378ad0eadc612486202051aea85cb4990

SHA256
d08833d45dd08c67999a1a26cfc126b0bc17e7604d0724b61f3dfdeb50815d5e

SHA512
895150171d1cf47aeccf43ef6f7143e4428f328bd716a0596b3b401e3733d5f90bab4ad68433925204ef3bb20dda9206618b1497ce5483e9c5f95a5ec9de9ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avbyyqn.exe

Filesize
680KB

MD5
c10ca94cb744900b83d2fbb1ec7978bd

SHA1
db6cda5378ad0eadc612486202051aea85cb4990

SHA256
d08833d45dd08c67999a1a26cfc126b0bc17e7604d0724b61f3dfdeb50815d5e

SHA512
895150171d1cf47aeccf43ef6f7143e4428f328bd716a0596b3b401e3733d5f90bab4ad68433925204ef3bb20dda9206618b1497ce5483e9c5f95a5ec9de9ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
dcfb3b6b6c115cb8983a1733b087b41f

SHA1
645960bcd5b93b4389cb463fca1c0c275a651a2f

SHA256
59cc329d201ee18f1f2e9008f8f93333a3acaed45ff0a143eab9e4ba9ef79a9b

SHA512
065d123495fb567913b96810b0a739e5c60dffc60d1742608a664c78f14c064575d4a953eea28892f459647ffd298a8552d72e8b9218b64192a1b82c13abedc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
682KB

MD5
c49079a05c54726e02d50fc1916a8a8f

SHA1
2fd667cbc414d5005b23985596e5769ea7dbc2d8

SHA256
d574b1a11085cca1db8b430e2b21fccd708035e2d59bab521a6bb1fd0f570fd9

SHA512
7fbec64ee7952e8416b5dc27470100ca1805fb31a2aad80bcdaa933ef7ad3fd9dcfa3c47786befcec64c96e97a6dfdb0ccded1473b1e0804882a0a3d75f34a89

Download Submit
\Users\Admin\AppData\Local\Temp\akvopon.exe

Filesize
396KB

MD5
6687614576858bce101f3bfa201b906c

SHA1
948ce97954cc3725a16be9344d9f73028b31d3be

SHA256
5536b5825dbdd0ac098242f5c4df2911aaeaaed6294c668e19e1947f618fddd0

SHA512
b0fdda6c0821cee92d3800f44ee37be59e10cf65d42c7896eb36015b933954275c7760de20b0619a5fdce9357ac55145c00f73aa9cad68e135760c96fb9964ba

Download Submit
\Users\Admin\AppData\Local\Temp\avbyyqn.exe

Filesize
680KB

MD5
c10ca94cb744900b83d2fbb1ec7978bd

SHA1
db6cda5378ad0eadc612486202051aea85cb4990

SHA256
d08833d45dd08c67999a1a26cfc126b0bc17e7604d0724b61f3dfdeb50815d5e

SHA512
895150171d1cf47aeccf43ef6f7143e4428f328bd716a0596b3b401e3733d5f90bab4ad68433925204ef3bb20dda9206618b1497ce5483e9c5f95a5ec9de9ae3

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
682KB

MD5
c49079a05c54726e02d50fc1916a8a8f

SHA1
2fd667cbc414d5005b23985596e5769ea7dbc2d8

SHA256
d574b1a11085cca1db8b430e2b21fccd708035e2d59bab521a6bb1fd0f570fd9

SHA512
7fbec64ee7952e8416b5dc27470100ca1805fb31a2aad80bcdaa933ef7ad3fd9dcfa3c47786befcec64c96e97a6dfdb0ccded1473b1e0804882a0a3d75f34a89

Download Submit
memory/840-70-0x0000000002B50000-0x0000000002C2E000-memory.dmp

Filesize
888KB

Download
memory/840-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/840-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1340-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1340-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1340-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1376-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1528-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1528-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1528-78-0x0000000003680000-0x00000000037BE000-memory.dmp

Filesize
1.2MB

Download