2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c

Analysis

max time kernel
152s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe
Size

627KB
MD5

a2b8075d8a66e5c7ac2af2d5636c85e0
SHA1

28c4e814f91e7cb340b9707570f39cab6199e49a
SHA256

2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c
SHA512

a9cfd68bc421c5607d551ab281c94132856d61ffc32ddcca8907f2f8bcf10711096a4d7defabc893b6ad93517b51c7eac2e13691c8b9385baf4fa4ce24130927
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1080	gauthoj.exe
1060	~DFA62.tmp
1048	omxacoj.exe

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe
1080	gauthoj.exe
1060	~DFA62.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe
1048	omxacoj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	~DFA62.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1080	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	27
PID 1472 wrote to memory of 1080	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	27
PID 1472 wrote to memory of 1080	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	27
PID 1472 wrote to memory of 1080	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	27
PID 1080 wrote to memory of 1060	1080	gauthoj.exe	28
PID 1080 wrote to memory of 1060	1080	gauthoj.exe	28
PID 1080 wrote to memory of 1060	1080	gauthoj.exe	28
PID 1080 wrote to memory of 1060	1080	gauthoj.exe	28
PID 1472 wrote to memory of 1928	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	29
PID 1472 wrote to memory of 1928	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	29
PID 1472 wrote to memory of 1928	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	29
PID 1472 wrote to memory of 1928	1472	2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe	29
PID 1060 wrote to memory of 1048	1060	~DFA62.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA62.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA62.tmp	31
PID 1060 wrote to memory of 1048	1060	~DFA62.tmp	31

C:\Users\Admin\AppData\Local\Temp\2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe
"C:\Users\Admin\AppData\Local\Temp\2f7d732ca55e2699886c15851395c26ab7b27132ed9df40fb2429903ed2f3a6c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\gauthoj.exe
  C:\Users\Admin\AppData\Local\Temp\gauthoj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\~DFA62.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA62.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\omxacoj.exe
      "C:\Users\Admin\AppData\Local\Temp\omxacoj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
012dc70be656349e9294d61cd241227b

SHA1
c632cd834dd7d53d563dd6fed986c9726bdc5d16

SHA256
c183cfbe48a657a86847e41b21c2e11be8448214ecbf344187b0794c1ad6e3a2

SHA512
f9fe2c3cf526636bf9cd5899f17dd412ff32652ef724906e9eaa8a037356c47ced536f226b2928689fd46703ee651519c88826467fa9a73cd5c67aeb22005099

Download Submit
C:\Users\Admin\AppData\Local\Temp\gauthoj.exe

Filesize
632KB

MD5
7d7c48d608cc49bdf7b608a207489c8b

SHA1
3707b3e4ced3fe8fda6eaebd51703d2f3780dfcf

SHA256
9001f978236e9d446da6303ecd5e692a79d22557ad59389628bbb5fe9c567b5e

SHA512
2bc52a9713bdc700bbb93ff19699be83747d31fd23f3215a07326f4e744cf63f0348a52d4adf9cace0777bf904c328e02667da27b7ba51a93ef4cc55535de9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gauthoj.exe

Filesize
632KB

MD5
7d7c48d608cc49bdf7b608a207489c8b

SHA1
3707b3e4ced3fe8fda6eaebd51703d2f3780dfcf

SHA256
9001f978236e9d446da6303ecd5e692a79d22557ad59389628bbb5fe9c567b5e

SHA512
2bc52a9713bdc700bbb93ff19699be83747d31fd23f3215a07326f4e744cf63f0348a52d4adf9cace0777bf904c328e02667da27b7ba51a93ef4cc55535de9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a4a8770c6ed8b963a2283da9435b74fc

SHA1
f32cca0d4f6215a53f1c29ba0bb9e13ee8b3941b

SHA256
dec677e1a77e01588ec293a29ec8a946f04d0711f19e0bee1983afe8a62a74f6

SHA512
aea090d2241621070dd5397f4cd64f2c49678ed0a04c56c64188b0dcd8363a9286552387b2de392eeac49424fa8bd1ddd63c1230747add55036045f396b46ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\omxacoj.exe

Filesize
419KB

MD5
ecc158e77d5b12bba6bcb065849d953f

SHA1
db3dd2a1fdb9cc23af1654dca4cc01aeae9a2bf4

SHA256
c51d3285b47ac827f4222c91063b16e312412f81c70fe269edffb77ae96b683b

SHA512
def59e9bc43b901884286467a5aff39a61b662135b2eebb8163adcecd98ab33bc12c7f1ab27ae606b2e982633d0a495bccb1b518d676997ebd66363316b81569

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA62.tmp

Filesize
640KB

MD5
dd18d2db60d0aed0a6af4ea1328938f7

SHA1
03b6381329d33a33da3fda5d71c83702f9dbca4b

SHA256
634d6e216edb193571e56f64ead107ff8e9b20cdce6ac26c12180b7a3f6b12b6

SHA512
6391874faa1ba10ed55cd77f7d6870eed036d1e5b3fe33a1a2083ba150ce78bf7731c5aa1d413e68902fb1eca34ca875b07b1f0e972cc97a5ee6bffd67068fa4

Download Submit
\Users\Admin\AppData\Local\Temp\gauthoj.exe

Filesize
632KB

MD5
7d7c48d608cc49bdf7b608a207489c8b

SHA1
3707b3e4ced3fe8fda6eaebd51703d2f3780dfcf

SHA256
9001f978236e9d446da6303ecd5e692a79d22557ad59389628bbb5fe9c567b5e

SHA512
2bc52a9713bdc700bbb93ff19699be83747d31fd23f3215a07326f4e744cf63f0348a52d4adf9cace0777bf904c328e02667da27b7ba51a93ef4cc55535de9a7

Download Submit
\Users\Admin\AppData\Local\Temp\omxacoj.exe

Filesize
419KB

MD5
ecc158e77d5b12bba6bcb065849d953f

SHA1
db3dd2a1fdb9cc23af1654dca4cc01aeae9a2bf4

SHA256
c51d3285b47ac827f4222c91063b16e312412f81c70fe269edffb77ae96b683b

SHA512
def59e9bc43b901884286467a5aff39a61b662135b2eebb8163adcecd98ab33bc12c7f1ab27ae606b2e982633d0a495bccb1b518d676997ebd66363316b81569

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA62.tmp

Filesize
640KB

MD5
dd18d2db60d0aed0a6af4ea1328938f7

SHA1
03b6381329d33a33da3fda5d71c83702f9dbca4b

SHA256
634d6e216edb193571e56f64ead107ff8e9b20cdce6ac26c12180b7a3f6b12b6

SHA512
6391874faa1ba10ed55cd77f7d6870eed036d1e5b3fe33a1a2083ba150ce78bf7731c5aa1d413e68902fb1eca34ca875b07b1f0e972cc97a5ee6bffd67068fa4

Download Submit
memory/1048-75-0x0000000000000000-mapping.dmp

Download
memory/1048-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1060-65-0x0000000000000000-mapping.dmp

Download
memory/1060-78-0x0000000003530000-0x000000000366E000-memory.dmp

Filesize
1.2MB

Download
memory/1060-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1060-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1080-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1080-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1080-57-0x0000000000000000-mapping.dmp

Download
memory/1472-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1472-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1472-61-0x0000000001EA0000-0x0000000001F7E000-memory.dmp

Filesize
888KB

Download
memory/1472-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1928-70-0x0000000000000000-mapping.dmp

Download