7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05

Analysis

max time kernel
150s
max time network
72s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
Size

655KB
MD5

0521874c4275011303c6826cf0a82e00
SHA1

1a6d041bca93bbcd3b54c0cc8518da84f9d8d672
SHA256

7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05
SHA512

13eda3e2a0d260aa14460acfcf99228677d2d7228f190dc846f11a8a702a2f482a4615186718f67554c297e411cf2fd30ffc9cedb56ea1619035e9531ff298b1
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1288	qocoyil.exe
472	~DFA57.tmp
1520	tehydil.exe

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
1288	qocoyil.exe
472	~DFA57.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe
1520	tehydil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	~DFA57.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1288	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	27
PID 1292 wrote to memory of 1288	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	27
PID 1292 wrote to memory of 1288	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	27
PID 1292 wrote to memory of 1288	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	27
PID 1288 wrote to memory of 472	1288	qocoyil.exe	28
PID 1288 wrote to memory of 472	1288	qocoyil.exe	28
PID 1288 wrote to memory of 472	1288	qocoyil.exe	28
PID 1288 wrote to memory of 472	1288	qocoyil.exe	28
PID 1292 wrote to memory of 1532	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	29
PID 1292 wrote to memory of 1532	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	29
PID 1292 wrote to memory of 1532	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	29
PID 1292 wrote to memory of 1532	1292	7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe	29
PID 472 wrote to memory of 1520	472	~DFA57.tmp	31
PID 472 wrote to memory of 1520	472	~DFA57.tmp	31
PID 472 wrote to memory of 1520	472	~DFA57.tmp	31
PID 472 wrote to memory of 1520	472	~DFA57.tmp	31

C:\Users\Admin\AppData\Local\Temp\7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe
"C:\Users\Admin\AppData\Local\Temp\7bb1c7fb8f2084cd13fa7fded01a76468be702f5c4135d256b125d46ce1c8d05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\qocoyil.exe
  C:\Users\Admin\AppData\Local\Temp\qocoyil.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Users\Admin\AppData\Local\Temp\tehydil.exe
      "C:\Users\Admin\AppData\Local\Temp\tehydil.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
412fc2afcb6036d4a8c81ea8a004774c

SHA1
423cadb538df1e5c8b4d281a35cf139e27d07061

SHA256
21791c52f50ba4710f42f7119b288057c8fd290bfea0de6fc522fc1da48b8d94

SHA512
7552beec3351d34d2c31bb550a8e7afbca4543976bc6c75a024ba9bb20ea95bbbdee112ff00f92944af9f7e569833a537f44c127019bcbd2112ab8bed79ef479

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
722f78744623638a942a37dfa8ccb0dc

SHA1
68f1a450cd29e37da7c87a97817d0d515ac9b3cf

SHA256
572be3b8ec7792e1510113595061fc3070663ebafcff6842d0bcc9921e6ac805

SHA512
2ffc9c0dc5e64f13924bfe789daf234c56e155492619a3194fb11d353b0a13b101d5a0395074275321688e0fa0c6af9c1f8dbca90c636db50871441de9e8968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qocoyil.exe

Filesize
662KB

MD5
288260fb6104a6a31bdfc95c29491949

SHA1
5c93d870c5c1d1d81f31eec8c14431064c3bd36c

SHA256
edc8897da6729c6a2cdeeaa806b69711397e05072206e769024cff0087732f31

SHA512
565f6d79b57732c93818ec232177860c9da5ed0243e071a097d8196e296f0f2f820413e9b0d6be556b06db0f5522e13d75b89d2c5544189e2031b3a8310657d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qocoyil.exe

Filesize
662KB

MD5
288260fb6104a6a31bdfc95c29491949

SHA1
5c93d870c5c1d1d81f31eec8c14431064c3bd36c

SHA256
edc8897da6729c6a2cdeeaa806b69711397e05072206e769024cff0087732f31

SHA512
565f6d79b57732c93818ec232177860c9da5ed0243e071a097d8196e296f0f2f820413e9b0d6be556b06db0f5522e13d75b89d2c5544189e2031b3a8310657d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tehydil.exe

Filesize
392KB

MD5
17c986756b2dbdd157de36c863654d83

SHA1
bee2baa83f0cc39fcb0472bea05940970338dea0

SHA256
aa69f1b528f2c7a62946a9b06eb88e7ce0eaab499d799e32142b8660753d170d

SHA512
ed175d4ba96c37cc06f701c77278c23bb1aee52b356a0a68b167b9807a97255d1a945748a9bca1cd5c588938fc51dfc59fd685f414605a0953bd7a5ebdb33647

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
670KB

MD5
9582b97f7762a2f0cc092850d70027b4

SHA1
81e16392e6baff4afd25dde1ff9c5a859bd76cfe

SHA256
ee184e1a27b4766de860460bec30df22f1b9e6c5a6109dd4dc40129005ea6bee

SHA512
b77c735ad96312dc549f4d198c63db517c310d023eb161b0b4bfbfb02d402c2f7ac04d57eccfc88b3f77692b486f2deadf5f796a2c3c37ad6065c7bae33d3dd2

Download Submit
\Users\Admin\AppData\Local\Temp\qocoyil.exe

Filesize
662KB

MD5
288260fb6104a6a31bdfc95c29491949

SHA1
5c93d870c5c1d1d81f31eec8c14431064c3bd36c

SHA256
edc8897da6729c6a2cdeeaa806b69711397e05072206e769024cff0087732f31

SHA512
565f6d79b57732c93818ec232177860c9da5ed0243e071a097d8196e296f0f2f820413e9b0d6be556b06db0f5522e13d75b89d2c5544189e2031b3a8310657d8

Download Submit
\Users\Admin\AppData\Local\Temp\tehydil.exe

Filesize
392KB

MD5
17c986756b2dbdd157de36c863654d83

SHA1
bee2baa83f0cc39fcb0472bea05940970338dea0

SHA256
aa69f1b528f2c7a62946a9b06eb88e7ce0eaab499d799e32142b8660753d170d

SHA512
ed175d4ba96c37cc06f701c77278c23bb1aee52b356a0a68b167b9807a97255d1a945748a9bca1cd5c588938fc51dfc59fd685f414605a0953bd7a5ebdb33647

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
670KB

MD5
9582b97f7762a2f0cc092850d70027b4

SHA1
81e16392e6baff4afd25dde1ff9c5a859bd76cfe

SHA256
ee184e1a27b4766de860460bec30df22f1b9e6c5a6109dd4dc40129005ea6bee

SHA512
b77c735ad96312dc549f4d198c63db517c310d023eb161b0b4bfbfb02d402c2f7ac04d57eccfc88b3f77692b486f2deadf5f796a2c3c37ad6065c7bae33d3dd2

Download Submit
memory/472-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/472-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/472-78-0x0000000003630000-0x000000000376E000-memory.dmp

Filesize
1.2MB

Download
memory/1288-70-0x0000000002C30000-0x0000000002D0E000-memory.dmp

Filesize
888KB

Download
memory/1288-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1288-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1292-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1520-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download