3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113

Analysis

max time kernel
103s
max time network
95s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe
Size

49KB
MD5

113f10c66db3f82fb362d9377a28e930
SHA1

8270b4194c920221c819f65555f6bc284b5b4dc1
SHA256

3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113
SHA512

1c8da02de0cc0fc79f8df448068ffdd7375d5b5a4144f334e6ff685abce05a2289ba5ec15a729f691531cedceec2ffdbf49a9da436eb4410afd678a0b964c3d4
SSDEEP

1536:TCBs2dk1EdUyb38tpMYmka6a+5a+IiusyZxz:eBOgUZfB1jg+1uZ5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1428	dofhir.exe

Deletes itself 1 IoCs

pid	Process
896	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1428	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	27
PID 1228 wrote to memory of 1428	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	27
PID 1228 wrote to memory of 1428	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	27
PID 1228 wrote to memory of 1428	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	27
PID 1228 wrote to memory of 896	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	28
PID 1228 wrote to memory of 896	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	28
PID 1228 wrote to memory of 896	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	28
PID 1228 wrote to memory of 896	1228	3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe	28

C:\Users\Admin\AppData\Local\Temp\3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe
"C:\Users\Admin\AppData\Local\Temp\3ba44085751bb0cca7f3ac6f346ea3e6a09e0f4f68201626862dcc61d98ce113.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\dofhir.exe
  "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
49KB

MD5
1774593283fb305d034fe0d921a33ca1

SHA1
11fd4a932afed26c0816c7d30fc9a02ea42706a5

SHA256
683fd50b4b1520ab2972e6b67b8adab5ff59c430fbfcc9c686ad9f63f4c637d2

SHA512
f50f68f6c744371f05b20896f31eb04464454f6b4a28f8014b228485356c2cef1123675dd70cfd7ed60fc61d62791df75d406b3b4c628cd42df8bf65e8647b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a37dafadf523bfd1cdd3a54d35760713

SHA1
a88d1fc3191e4d6df332ee300605812fd88a37a9

SHA256
236019ebae78106f6226c7a2c82e10377904a8196441f69330b47491e7bd7fa2

SHA512
94ec9e22f2157c27bde78a8801e36dd0fc32a4512caee3d163d63934631e1dfe3678854fda2e88888b836d6020f387d9a09028c08643f8a012e803592125dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
49e0430c412f2c08bf2f2aca41fbb0fe

SHA1
107f3c6806a868bc6d6ca8d96e006bbcff10c325

SHA256
06e38180648ffb89880dec45c5ed57645c92927d8c0b37f2ed0723839c04d53f

SHA512
298894743c7de11a9328172395a463a233e7d523c371518fe3ef40165c8ae4be7343893847a6d0d96e29f70b89c9a3b8d66d48ec595ddf6109085ea38a47f766

Download Submit
\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
49KB

MD5
1774593283fb305d034fe0d921a33ca1

SHA1
11fd4a932afed26c0816c7d30fc9a02ea42706a5

SHA256
683fd50b4b1520ab2972e6b67b8adab5ff59c430fbfcc9c686ad9f63f4c637d2

SHA512
f50f68f6c744371f05b20896f31eb04464454f6b4a28f8014b228485356c2cef1123675dd70cfd7ed60fc61d62791df75d406b3b4c628cd42df8bf65e8647b7d

Download Submit
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1228-55-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1228-61-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/1428-63-0x0000000000B70000-0x0000000000BA5000-memory.dmp

Filesize
212KB

Download
memory/1428-65-0x0000000000B70000-0x0000000000BA5000-memory.dmp

Filesize
212KB

Download
memory/1428-66-0x0000000000B70000-0x0000000000BA5000-memory.dmp

Filesize
212KB

Download