679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe
Size

678KB
MD5

013a01d1d7b6768c6d7c71f25cbb9695
SHA1

6890c709f7617ba8f59812a401d37c1894c0da95
SHA256

679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b
SHA512

7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537
SSDEEP

12288:pCF8GZoBiS9F1aY8+8XBavsNxQ9wtlHRSMmvslNKaen9:pCe6S9naY8pcszUYHRSMm0lNKaC9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1876	hiceh.exe
624	zoqoiq.exe
1396	inroq.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe
1876	hiceh.exe
624	zoqoiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1396	inroq.exe
1396	inroq.exe
1396	inroq.exe
1396	inroq.exe
1396	inroq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	zoqoiq.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1876	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	28
PID 1644 wrote to memory of 1876	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	28
PID 1644 wrote to memory of 1876	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	28
PID 1644 wrote to memory of 1876	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	28
PID 1644 wrote to memory of 948	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	29
PID 1644 wrote to memory of 948	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	29
PID 1644 wrote to memory of 948	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	29
PID 1644 wrote to memory of 948	1644	679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe	29
PID 1876 wrote to memory of 624	1876	hiceh.exe	31
PID 1876 wrote to memory of 624	1876	hiceh.exe	31
PID 1876 wrote to memory of 624	1876	hiceh.exe	31
PID 1876 wrote to memory of 624	1876	hiceh.exe	31
PID 624 wrote to memory of 1396	624	zoqoiq.exe	32
PID 624 wrote to memory of 1396	624	zoqoiq.exe	32
PID 624 wrote to memory of 1396	624	zoqoiq.exe	32
PID 624 wrote to memory of 1396	624	zoqoiq.exe	32

C:\Users\Admin\AppData\Local\Temp\679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe
"C:\Users\Admin\AppData\Local\Temp\679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\hiceh.exe
  "C:\Users\Admin\AppData\Local\Temp\hiceh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\zoqoiq.exe
    "C:\Users\Admin\AppData\Local\Temp\zoqoiq.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\inroq.exe
      "C:\Users\Admin\AppData\Local\Temp\inroq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
11939ae5996b8c46bf20fc67e2b9fdf2

SHA1
167dfa2b114aa5540a4ec67fe81a652218064789

SHA256
05b73bc252280b7ee5cae52daf6e65808598814b654e5988127c64455da1b894

SHA512
32104683e1331760c89f5df0d183c540ded56d2d4060f42c7bfe1dbef5b54f410646585cf38819537a2e9d8c0fc640e8aadb10833a80dc97ada16c26e75e4208

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
471d257d4c81cf812bbcbd71a6423923

SHA1
61f12cca1f2c1365833b3fb23e3fd50c6638b5a0

SHA256
542bdb478af7227451f774e71807adc8f2e65fa969920ca15e2c97ce8d5825de

SHA512
85cb2397fcdfc17229ecb255e1ad948b77ab2f079ec34cff077c1e39dd5852866ef8d6f939b3aac854059257f0bd29e63eb23ace0bdc38b2f0fc8ac7d96211b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3d216c669dcaefc1632d181b857d855f

SHA1
4bd927d41a0745354ecf4bc7efda23aad6f33b72

SHA256
12e6aee49877217411020026b4f26d7bf04691d95b3c92e06e7a3bc9921ff7b8

SHA512
773a62ca41906193334deef66a24598a1cd73a139b9604d6e4da7599eedd3754cb3a852831c6ebed2dd239b4271d9884f84dc340b5d41da24f35576d2f1f0d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiceh.exe

Filesize
678KB

MD5
013a01d1d7b6768c6d7c71f25cbb9695

SHA1
6890c709f7617ba8f59812a401d37c1894c0da95

SHA256
679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

SHA512
7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiceh.exe

Filesize
678KB

MD5
013a01d1d7b6768c6d7c71f25cbb9695

SHA1
6890c709f7617ba8f59812a401d37c1894c0da95

SHA256
679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

SHA512
7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537

Download Submit
C:\Users\Admin\AppData\Local\Temp\inroq.exe

Filesize
521KB

MD5
903d60b9c634ffa151f2c80cd5725b54

SHA1
c697c77cba0014ec1e0cc3f734509865ed80050f

SHA256
e3966a702d50b1ed74daec4bc6217bc564a6f3bdf4d60047d9305f3ccd13d15c

SHA512
ab2d102fdbb36ae9959d1d2dfecf5fccb80d16a99161ccb9f77c77a712f7b78977a6c04e8d8a250c70d3960b4c36fe65680f4854028c09b712767ddfd74586b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoqoiq.exe

Filesize
678KB

MD5
013a01d1d7b6768c6d7c71f25cbb9695

SHA1
6890c709f7617ba8f59812a401d37c1894c0da95

SHA256
679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

SHA512
7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537

Download Submit
\Users\Admin\AppData\Local\Temp\hiceh.exe

Filesize
678KB

MD5
013a01d1d7b6768c6d7c71f25cbb9695

SHA1
6890c709f7617ba8f59812a401d37c1894c0da95

SHA256
679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

SHA512
7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537

Download Submit
\Users\Admin\AppData\Local\Temp\inroq.exe

Filesize
521KB

MD5
903d60b9c634ffa151f2c80cd5725b54

SHA1
c697c77cba0014ec1e0cc3f734509865ed80050f

SHA256
e3966a702d50b1ed74daec4bc6217bc564a6f3bdf4d60047d9305f3ccd13d15c

SHA512
ab2d102fdbb36ae9959d1d2dfecf5fccb80d16a99161ccb9f77c77a712f7b78977a6c04e8d8a250c70d3960b4c36fe65680f4854028c09b712767ddfd74586b0

Download Submit
\Users\Admin\AppData\Local\Temp\zoqoiq.exe

Filesize
678KB

MD5
013a01d1d7b6768c6d7c71f25cbb9695

SHA1
6890c709f7617ba8f59812a401d37c1894c0da95

SHA256
679bf0b7dd9411bc2d25a70b5352def409ce74ace46705e2df846cce9087eb7b

SHA512
7d3970c9b86c3b467e35aa030f3cf1c5f5a99c414968d6d2f38067389d2032f82dc8c7c30311a3bafbb1d2d24969ce199404ccfa3eb808c18144cd423135e537

Download Submit
memory/624-71-0x0000000000FF0000-0x000000000116E000-memory.dmp

Filesize
1.5MB

Download
memory/624-67-0x0000000000000000-mapping.dmp

Download
memory/624-75-0x00000000037D0000-0x000000000398E000-memory.dmp

Filesize
1.7MB

Download
memory/948-60-0x0000000000000000-mapping.dmp

Download
memory/1396-73-0x0000000000000000-mapping.dmp

Download
memory/1396-76-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1644-61-0x0000000000CB0000-0x0000000000E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-55-0x0000000000CB0000-0x0000000000E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1876-63-0x0000000000F70000-0x00000000010EE000-memory.dmp

Filesize
1.5MB

Download
memory/1876-70-0x0000000000F70000-0x00000000010EE000-memory.dmp

Filesize
1.5MB

Download
memory/1876-57-0x0000000000000000-mapping.dmp

Download