71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1

Analysis

max time kernel
150s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
Size

676KB
MD5

09a9476fcef04898eaae48d5f7e737e0
SHA1

6f849f53d358947b48ea928cda82c9103b9e1104
SHA256

71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1
SHA512

3c1d92babee6af1bd655258d9d0230480cddcffb3c366eb890c372915c0426a55a49085dc18335f3051cf373b7a129cf2f893d51aa83009a39f65a44fb052fd5
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1724	erlyum.exe
1284	~DFA52.tmp
1232	arezor.exe

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
1724	erlyum.exe
1284	~DFA52.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe
1232	arezor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	~DFA52.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1724	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	27
PID 1100 wrote to memory of 1724	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	27
PID 1100 wrote to memory of 1724	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	27
PID 1100 wrote to memory of 1724	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	27
PID 1100 wrote to memory of 2012	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	28
PID 1100 wrote to memory of 2012	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	28
PID 1100 wrote to memory of 2012	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	28
PID 1100 wrote to memory of 2012	1100	71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe	28
PID 1724 wrote to memory of 1284	1724	erlyum.exe	30
PID 1724 wrote to memory of 1284	1724	erlyum.exe	30
PID 1724 wrote to memory of 1284	1724	erlyum.exe	30
PID 1724 wrote to memory of 1284	1724	erlyum.exe	30
PID 1284 wrote to memory of 1232	1284	~DFA52.tmp	31
PID 1284 wrote to memory of 1232	1284	~DFA52.tmp	31
PID 1284 wrote to memory of 1232	1284	~DFA52.tmp	31
PID 1284 wrote to memory of 1232	1284	~DFA52.tmp	31

C:\Users\Admin\AppData\Local\Temp\71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe
"C:\Users\Admin\AppData\Local\Temp\71535fce2373744f5daeaa60efecb805a228e5e988dc2f68e504d31752f402f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\erlyum.exe
  C:\Users\Admin\AppData\Local\Temp\erlyum.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\arezor.exe
      "C:\Users\Admin\AppData\Local\Temp\arezor.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
90dcaf8bf6553cf4221d60e44395bb9c

SHA1
1e927acd95fcf6220c5f051bff3a4b131a0278ab

SHA256
a1262f359bd1849bf3f71c9f171e38a80e95eb55b22a8565250f0aa6c1064608

SHA512
12b4dcb437de52ccbf55d1714a77c7a0403eb55d03af1e06b13f78b8cf7e328507c2c76732c8449abb211fcd14ca9132ae1d35cc21e74641c75468f83e1093bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\arezor.exe

Filesize
419KB

MD5
de3e478e4fba059ba16db5a8773cd492

SHA1
291f626c6c5e2ed832f49346cd177bb884ad645a

SHA256
97d2fb351cc89aeb70b137096c18836b0df8d7bb2dbd03cca8725a6d54085102

SHA512
97081735156e711ffc58b229ea5d5cc2657dbfb0c3305832badf20458695e91e377937ae089f6f04d093c26ba1e8254d4a727105fce09b4ed18d018ea7c893f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\erlyum.exe

Filesize
677KB

MD5
16808f9c6c85d46b65ca04f51b02b24f

SHA1
eb5dd22d8ef3adc59da0a64f2a25cdd2bedcd61c

SHA256
cae0c978e74e18cfc734776e6507daa807d913f6d6b6185bef0ef403589c8dbf

SHA512
21ffcb051377c7fec6720da700ee2b204f55ecb6e971f851e55fbdff160f2b965910a74e02b6ed785cc03aae6663fc48bd0dcfb557503a05953f1c89307d636b

Download Submit
C:\Users\Admin\AppData\Local\Temp\erlyum.exe

Filesize
677KB

MD5
16808f9c6c85d46b65ca04f51b02b24f

SHA1
eb5dd22d8ef3adc59da0a64f2a25cdd2bedcd61c

SHA256
cae0c978e74e18cfc734776e6507daa807d913f6d6b6185bef0ef403589c8dbf

SHA512
21ffcb051377c7fec6720da700ee2b204f55ecb6e971f851e55fbdff160f2b965910a74e02b6ed785cc03aae6663fc48bd0dcfb557503a05953f1c89307d636b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
53295a62606b1b9b0bcec134cf96c825

SHA1
c2748d73368f002a90017a36a9648e9684830b0e

SHA256
4bbf5eff8f3c91a0460958807781a76ae6a08ee3a92e3bcabf8a1417fc667fb0

SHA512
0d28577716a888eb14094eb83520c047f84650854b88455ca1709b0b9a531bb44b9f7979e303f32a23cb32587b50901d7edd6fc0db25cd94be8f9fffe2531110

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
680KB

MD5
8e88f2c409acc902619e1685d55e250f

SHA1
ade6663f05722d9194de94d7860fdd930ce5659b

SHA256
21bc376406074db5c241b93b54e3fae98d05e2aed4d5546e19dfbac591d97bd8

SHA512
883e5b4ce8b596667d541954811280f9bb6ab07d4e0ab9d2e72c5c84490bbd2506fadb12a5d0faf5fd32f436f7e93b69e3e0ab85db036406a2260613e6a51db3

Download Submit
\Users\Admin\AppData\Local\Temp\arezor.exe

Filesize
419KB

MD5
de3e478e4fba059ba16db5a8773cd492

SHA1
291f626c6c5e2ed832f49346cd177bb884ad645a

SHA256
97d2fb351cc89aeb70b137096c18836b0df8d7bb2dbd03cca8725a6d54085102

SHA512
97081735156e711ffc58b229ea5d5cc2657dbfb0c3305832badf20458695e91e377937ae089f6f04d093c26ba1e8254d4a727105fce09b4ed18d018ea7c893f5

Download Submit
\Users\Admin\AppData\Local\Temp\erlyum.exe

Filesize
677KB

MD5
16808f9c6c85d46b65ca04f51b02b24f

SHA1
eb5dd22d8ef3adc59da0a64f2a25cdd2bedcd61c

SHA256
cae0c978e74e18cfc734776e6507daa807d913f6d6b6185bef0ef403589c8dbf

SHA512
21ffcb051377c7fec6720da700ee2b204f55ecb6e971f851e55fbdff160f2b965910a74e02b6ed785cc03aae6663fc48bd0dcfb557503a05953f1c89307d636b

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
680KB

MD5
8e88f2c409acc902619e1685d55e250f

SHA1
ade6663f05722d9194de94d7860fdd930ce5659b

SHA256
21bc376406074db5c241b93b54e3fae98d05e2aed4d5546e19dfbac591d97bd8

SHA512
883e5b4ce8b596667d541954811280f9bb6ab07d4e0ab9d2e72c5c84490bbd2506fadb12a5d0faf5fd32f436f7e93b69e3e0ab85db036406a2260613e6a51db3

Download Submit
memory/1100-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1100-64-0x0000000001F20000-0x0000000001FFE000-memory.dmp

Filesize
888KB

Download
memory/1100-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1100-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1232-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1232-75-0x0000000000000000-mapping.dmp

Download
memory/1284-67-0x0000000000000000-mapping.dmp

Download
memory/1284-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1284-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1284-78-0x00000000036D0000-0x000000000380E000-memory.dmp

Filesize
1.2MB

Download
memory/1724-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-57-0x0000000000000000-mapping.dmp

Download
memory/2012-60-0x0000000000000000-mapping.dmp

Download