556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16

Analysis

max time kernel
152s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe
Size

678KB
MD5

935e5c290f4fb5fa29b31aa26dad67f0
SHA1

ca4f0929699acedae219db1a445e4444d57c3b28
SHA256

556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16
SHA512

840daf8285ff537d8a2000fb404e28f6f8e40767c33311172b8f50307de29dc73c79ced760b7ed3d500d2104999ac8b87cbdac7eb54e845a2ce6641de40f9319
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1944	nymemuc.exe
932	~DFA53.tmp
1700	goipubw.exe

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe
1944	nymemuc.exe
932	~DFA53.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe
1700	goipubw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	~DFA53.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1944	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	27
PID 832 wrote to memory of 1944	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	27
PID 832 wrote to memory of 1944	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	27
PID 832 wrote to memory of 1944	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	27
PID 1944 wrote to memory of 932	1944	nymemuc.exe	28
PID 1944 wrote to memory of 932	1944	nymemuc.exe	28
PID 1944 wrote to memory of 932	1944	nymemuc.exe	28
PID 1944 wrote to memory of 932	1944	nymemuc.exe	28
PID 832 wrote to memory of 1740	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	29
PID 832 wrote to memory of 1740	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	29
PID 832 wrote to memory of 1740	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	29
PID 832 wrote to memory of 1740	832	556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe	29
PID 932 wrote to memory of 1700	932	~DFA53.tmp	31
PID 932 wrote to memory of 1700	932	~DFA53.tmp	31
PID 932 wrote to memory of 1700	932	~DFA53.tmp	31
PID 932 wrote to memory of 1700	932	~DFA53.tmp	31

C:\Users\Admin\AppData\Local\Temp\556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe
"C:\Users\Admin\AppData\Local\Temp\556fc8f883dd0c21afd71e5400859b13de9573d1e21580dcff864dd0cfc32f16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\nymemuc.exe
  C:\Users\Admin\AppData\Local\Temp\nymemuc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\goipubw.exe
      "C:\Users\Admin\AppData\Local\Temp\goipubw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
dd147289c900cd965bbd7a96e14696f1

SHA1
02e03d974463b5790865397218f770f2a6dbfacf

SHA256
7dd216c5de025223d10a0aca5e0d68d314e9b7865881de318065990dda7b5682

SHA512
9f8dcb75e5738c520fe556547e44e0213606b9ee965d6af0995775d19ae540b8096679c2314726f97059e69126d617f24e672ed21c8e300753a56cae3862f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\goipubw.exe

Filesize
383KB

MD5
982f12cde9b27519e05e9c0c34066d33

SHA1
3ce0788aae83177537f513d03d85c223bca926f4

SHA256
235a09dc7f905cc3070f0235b65fbb4048b28fe6ccf207cdff9b42d42bc06b7a

SHA512
4625eafa2cee50b71cfce754f7a680ee3fa4768eb38604955311720ae7d43b9bdbf50c0b3914d3ec0609d020f462540067d0af5de2963649d677407b46c5d13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
eaaeeb934de658b148d38a5c4d67ebaf

SHA1
c56258f1606036e4d311c50e22529e4e0b29f3eb

SHA256
cbabd1ae5df62e1a9c35d26a6a3bc0d40944c00c7ab4cfe73c034c3d2a757293

SHA512
64350ca23e4fb0500dbcf853a452cd0f89ee8a44def2f83e0c48657265d947a6bd5ff83e81bbb97df91ff0ecb958952458a32071cba16945ebeaedaa95f73bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymemuc.exe

Filesize
681KB

MD5
74a455bb5a4de2465401ab714650e681

SHA1
cf655f0d7eac64b8e8684b4f4d5c190fe5f43334

SHA256
46de92c53a2e898845e9b4a3f74cbc98a205addba81a96cb62abb5dfb7d6ed5d

SHA512
7e4a8004aa7f4156a416bb9b0bf6712d5f54cb0bb4b57a10d4c0d630a70c1ae032064be9e20370ca5fade04f493292210f1429b56babf9d25cf2d565abe1cc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymemuc.exe

Filesize
681KB

MD5
74a455bb5a4de2465401ab714650e681

SHA1
cf655f0d7eac64b8e8684b4f4d5c190fe5f43334

SHA256
46de92c53a2e898845e9b4a3f74cbc98a205addba81a96cb62abb5dfb7d6ed5d

SHA512
7e4a8004aa7f4156a416bb9b0bf6712d5f54cb0bb4b57a10d4c0d630a70c1ae032064be9e20370ca5fade04f493292210f1429b56babf9d25cf2d565abe1cc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
685KB

MD5
d7aeb6f5098e3333e1872437fd11500b

SHA1
8de6b5742db6e34ac1ec4841795bfddc704236c7

SHA256
34c18e281942331b8bf7211673841e9d275abf0b04c17ada4f17cc2e9ee6195b

SHA512
4601e798c2587b58b61dc29003d775f9170a0bc42dbe14d909277a2e39306a07150116de83ecf75e3a7001c4d1b56021de52cef363dd1dd52cb686c9336e327d

Download Submit
\Users\Admin\AppData\Local\Temp\goipubw.exe

Filesize
383KB

MD5
982f12cde9b27519e05e9c0c34066d33

SHA1
3ce0788aae83177537f513d03d85c223bca926f4

SHA256
235a09dc7f905cc3070f0235b65fbb4048b28fe6ccf207cdff9b42d42bc06b7a

SHA512
4625eafa2cee50b71cfce754f7a680ee3fa4768eb38604955311720ae7d43b9bdbf50c0b3914d3ec0609d020f462540067d0af5de2963649d677407b46c5d13c

Download Submit
\Users\Admin\AppData\Local\Temp\nymemuc.exe

Filesize
681KB

MD5
74a455bb5a4de2465401ab714650e681

SHA1
cf655f0d7eac64b8e8684b4f4d5c190fe5f43334

SHA256
46de92c53a2e898845e9b4a3f74cbc98a205addba81a96cb62abb5dfb7d6ed5d

SHA512
7e4a8004aa7f4156a416bb9b0bf6712d5f54cb0bb4b57a10d4c0d630a70c1ae032064be9e20370ca5fade04f493292210f1429b56babf9d25cf2d565abe1cc74

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
685KB

MD5
d7aeb6f5098e3333e1872437fd11500b

SHA1
8de6b5742db6e34ac1ec4841795bfddc704236c7

SHA256
34c18e281942331b8bf7211673841e9d275abf0b04c17ada4f17cc2e9ee6195b

SHA512
4601e798c2587b58b61dc29003d775f9170a0bc42dbe14d909277a2e39306a07150116de83ecf75e3a7001c4d1b56021de52cef363dd1dd52cb686c9336e327d

Download Submit
memory/832-68-0x0000000001EA0000-0x0000000001F7E000-memory.dmp

Filesize
888KB

Download
memory/832-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/832-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/932-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/932-79-0x0000000003680000-0x00000000037BE000-memory.dmp

Filesize
1.2MB

Download
memory/932-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1700-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1944-71-0x0000000002BE0000-0x0000000002CBE000-memory.dmp

Filesize
888KB

Download
memory/1944-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1944-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download