0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0

Analysis

max time kernel
151s
max time network
79s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe
Size

710KB
MD5

93c2a11644197bdfacbb45b0b410c39e
SHA1

880a2aea805f5de3fec91bb2127ce7bf5265620a
SHA256

0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0
SHA512

7d6115e4a651a0742c748f8217e4f835f1e09c888377326a951eaf565eec8cd49e8b35008f5d1604a9e1a71128be4dba2ec886508e21b5c07a7f61a9e3f976ef
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1912	cisiviw.exe
1364	~DFA53.tmp
540	rijytij.exe

Deletes itself 1 IoCs

pid	Process
1788	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe
1912	cisiviw.exe
1364	~DFA53.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe
540	rijytij.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	~DFA53.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1912	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	28
PID 1112 wrote to memory of 1912	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	28
PID 1112 wrote to memory of 1912	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	28
PID 1112 wrote to memory of 1912	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	28
PID 1912 wrote to memory of 1364	1912	cisiviw.exe	29
PID 1912 wrote to memory of 1364	1912	cisiviw.exe	29
PID 1912 wrote to memory of 1364	1912	cisiviw.exe	29
PID 1912 wrote to memory of 1364	1912	cisiviw.exe	29
PID 1112 wrote to memory of 1788	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	30
PID 1112 wrote to memory of 1788	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	30
PID 1112 wrote to memory of 1788	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	30
PID 1112 wrote to memory of 1788	1112	0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe	30
PID 1364 wrote to memory of 540	1364	~DFA53.tmp	32
PID 1364 wrote to memory of 540	1364	~DFA53.tmp	32
PID 1364 wrote to memory of 540	1364	~DFA53.tmp	32
PID 1364 wrote to memory of 540	1364	~DFA53.tmp	32

C:\Users\Admin\AppData\Local\Temp\0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe
"C:\Users\Admin\AppData\Local\Temp\0a7ee7a8fd6905a397d077d96c1c2f0b6903b93030cd57968e8e74e43fca51d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\cisiviw.exe
  C:\Users\Admin\AppData\Local\Temp\cisiviw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\rijytij.exe
      "C:\Users\Admin\AppData\Local\Temp\rijytij.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
fbc40e356acfd5493cfd40cfe8dca9c7

SHA1
7afa6a65600cd05d9ef7cc08f2653aa2a6f2ba3e

SHA256
fee0dcaad09b08d0458ffb90351021b371c6644172bd20eb3f015737913b3c04

SHA512
43fe1fad0af3a323ea7eb522692a9b7a9a0dc61524f58725e3fea3eb3c127eef7ba3fce51dbabff90ed3b35a3ede0d6988869b7f42c5b0ef514323a4bc7d79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cisiviw.exe

Filesize
714KB

MD5
28f8b607e9b5ee821f20ac30e336982b

SHA1
4a0a44a11d29b409b1743a4e550ca3834e4f9122

SHA256
76dd4608f0ce8ceeab5ca3a4dbfcfc3ab03ce7feb7ef6834b7e98784921a17fb

SHA512
432679480e0e4f103eab5a559dcb40b8f5000f4f2a00596904214a3fad8e9959db93a33788c363fa6f3ae98f4fd17f39ac02a7de165d9a9e325e8626d63fabf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cisiviw.exe

Filesize
714KB

MD5
28f8b607e9b5ee821f20ac30e336982b

SHA1
4a0a44a11d29b409b1743a4e550ca3834e4f9122

SHA256
76dd4608f0ce8ceeab5ca3a4dbfcfc3ab03ce7feb7ef6834b7e98784921a17fb

SHA512
432679480e0e4f103eab5a559dcb40b8f5000f4f2a00596904214a3fad8e9959db93a33788c363fa6f3ae98f4fd17f39ac02a7de165d9a9e325e8626d63fabf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
ba1d7c189ab02877c8cc78507a86a262

SHA1
72f13d427e17eb010969a1d2a435b6b06cf9331f

SHA256
fd8654f38d36f75929495a985982aae481b523fd7a27e410e07f2493ebf95537

SHA512
2a629513eb10686d024c187853ef84d377507b6cc017944bf2dc4a8d89fc089fdfa1b27b3c80dd2d34fd7af0001254070d5c86d21cd16c987bbe63642e1e7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rijytij.exe

Filesize
398KB

MD5
337a67354796ed7c0654d7c2697b9e54

SHA1
05e15927b82ed7fee4b847d8d33404626cec5443

SHA256
b07aaed2172e7fe7a7368fe4e04ab6f2deccf9a337ac6c32a47611da5f7171a5

SHA512
b09b41ede5d126b1d1f4786855ec5fe31172b61c1a5f6fb74e663a1db443a98df1b64134a4f4e7796a00585da85852870216f4c79fcbb48bf6336714df355b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
718KB

MD5
7d9f2dca8a14fc26ee4826fc6ba21424

SHA1
487d79e687fc300e76e4b4eecd1626bc8dff1645

SHA256
06b6b30973c04067e5c6aaec65ea5068751b24f442477eafe851561722a1d40b

SHA512
6512d168c9a174586a7b8b0cb15153156f3ac51277c7d97da7c661f7ccc23b762c5c7eab2ecf3ed48f53ae969dcd71ce0ab83a1883f561246e9a9ad1efe79346

Download Submit
\Users\Admin\AppData\Local\Temp\cisiviw.exe

Filesize
714KB

MD5
28f8b607e9b5ee821f20ac30e336982b

SHA1
4a0a44a11d29b409b1743a4e550ca3834e4f9122

SHA256
76dd4608f0ce8ceeab5ca3a4dbfcfc3ab03ce7feb7ef6834b7e98784921a17fb

SHA512
432679480e0e4f103eab5a559dcb40b8f5000f4f2a00596904214a3fad8e9959db93a33788c363fa6f3ae98f4fd17f39ac02a7de165d9a9e325e8626d63fabf7

Download Submit
\Users\Admin\AppData\Local\Temp\rijytij.exe

Filesize
398KB

MD5
337a67354796ed7c0654d7c2697b9e54

SHA1
05e15927b82ed7fee4b847d8d33404626cec5443

SHA256
b07aaed2172e7fe7a7368fe4e04ab6f2deccf9a337ac6c32a47611da5f7171a5

SHA512
b09b41ede5d126b1d1f4786855ec5fe31172b61c1a5f6fb74e663a1db443a98df1b64134a4f4e7796a00585da85852870216f4c79fcbb48bf6336714df355b9b

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA53.tmp

Filesize
718KB

MD5
7d9f2dca8a14fc26ee4826fc6ba21424

SHA1
487d79e687fc300e76e4b4eecd1626bc8dff1645

SHA256
06b6b30973c04067e5c6aaec65ea5068751b24f442477eafe851561722a1d40b

SHA512
6512d168c9a174586a7b8b0cb15153156f3ac51277c7d97da7c661f7ccc23b762c5c7eab2ecf3ed48f53ae969dcd71ce0ab83a1883f561246e9a9ad1efe79346

Download Submit
memory/540-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/540-76-0x0000000000000000-mapping.dmp

Download
memory/1112-68-0x0000000000320000-0x00000000003FE000-memory.dmp

Filesize
888KB

Download
memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1112-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1112-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1364-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1364-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1364-63-0x0000000000000000-mapping.dmp

Download
memory/1364-79-0x00000000035E0000-0x000000000371E000-memory.dmp

Filesize
1.2MB

Download
memory/1788-66-0x0000000000000000-mapping.dmp

Download
memory/1912-71-0x0000000002C00000-0x0000000002CDE000-memory.dmp

Filesize
888KB

Download
memory/1912-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1912-57-0x0000000000000000-mapping.dmp

Download