449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0

Analysis

max time kernel
150s
max time network
73s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe
Size

664KB
MD5

010ed462673f69bf7693a833210d7550
SHA1

ed1690f6608d86001e157fe312ab0d1a3363387e
SHA256

449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0
SHA512

502ff5cf9f2ab1e4e9c552c5948026c4711a01a16f1559dd6b5c059602f2ed72c335d02a6d7e35ec315da7f9764b67f3333ea5d7ff3a68ac85781b974375328b
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1688	fyxynue.exe
296	~DFA54.tmp
1672	upqynue.exe

Deletes itself 1 IoCs

pid	Process
576	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe
1688	fyxynue.exe
296	~DFA54.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe
1672	upqynue.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	~DFA54.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1688	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	27
PID 1468 wrote to memory of 1688	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	27
PID 1468 wrote to memory of 1688	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	27
PID 1468 wrote to memory of 1688	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	27
PID 1688 wrote to memory of 296	1688	fyxynue.exe	30
PID 1688 wrote to memory of 296	1688	fyxynue.exe	30
PID 1688 wrote to memory of 296	1688	fyxynue.exe	30
PID 1688 wrote to memory of 296	1688	fyxynue.exe	30
PID 1468 wrote to memory of 576	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	28
PID 1468 wrote to memory of 576	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	28
PID 1468 wrote to memory of 576	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	28
PID 1468 wrote to memory of 576	1468	449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe	28
PID 296 wrote to memory of 1672	296	~DFA54.tmp	31
PID 296 wrote to memory of 1672	296	~DFA54.tmp	31
PID 296 wrote to memory of 1672	296	~DFA54.tmp	31
PID 296 wrote to memory of 1672	296	~DFA54.tmp	31

C:\Users\Admin\AppData\Local\Temp\449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe
"C:\Users\Admin\AppData\Local\Temp\449cb979efa73e691af14af49709c62352b850cf0c721149459b376d83bb31d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\fyxynue.exe
  C:\Users\Admin\AppData\Local\Temp\fyxynue.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\~DFA54.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA54.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Users\Admin\AppData\Local\Temp\upqynue.exe
      "C:\Users\Admin\AppData\Local\Temp\upqynue.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
e7954d4564f1d5181d26be081cee02c4

SHA1
e8541feb52643a87859620044ca383343890e141

SHA256
f58422bce416726462a51671a753a4cac9a03e1d9f70788a6453cf9abba0b0c0

SHA512
3c54d0037e4114533783b81819708e8095a4dc24ce1956d2244694d2f73df2001f3a928022617f3431a194e79c5190914812303866bca24238fe83d1018fa197

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyxynue.exe

Filesize
667KB

MD5
427a35df787d628e5edaff1b9ae8b45a

SHA1
2ba133bc4c4571104305d97472b3e043dfe23ceb

SHA256
4bfcb7aa6a56dff4828ece414d61139b921e7b5d9268872ccd9368dd512bed11

SHA512
9af0f1131f0f2e763ecf19c7a1e23649c119c2fdf7beb8688279dbc62ddb1b42d5ac7abc42f640cc9e23dd21538837e05756eda62bde18f42127e11d7636e228

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyxynue.exe

Filesize
667KB

MD5
427a35df787d628e5edaff1b9ae8b45a

SHA1
2ba133bc4c4571104305d97472b3e043dfe23ceb

SHA256
4bfcb7aa6a56dff4828ece414d61139b921e7b5d9268872ccd9368dd512bed11

SHA512
9af0f1131f0f2e763ecf19c7a1e23649c119c2fdf7beb8688279dbc62ddb1b42d5ac7abc42f640cc9e23dd21538837e05756eda62bde18f42127e11d7636e228

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
784b2ff77731004e67ece75a5a77b6be

SHA1
e233a98b5d857282b7203b7864a62c87c9891337

SHA256
42f74d0979351045b57d5e168a5268b403bcb404b812590fcc5b38f83a7fcd37

SHA512
2d1a67d61bcf6efba2b8ed4ad449fd3c86d5194afbba965c067b56fb72d8610934bec9d454c3b82ceb77691a755073c4dd2b1baf5b3a652c62e6d0fde4a5cfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\upqynue.exe

Filesize
397KB

MD5
c652d31d382e7dfb5e0bdc7c78ed3817

SHA1
62908c4c761b3aa686c3efdf3116b082940a1330

SHA256
6727ea4775389b9f98632c555f34973d82ebf8f5ee0dbfaa4d38e63a253c2484

SHA512
e2388f97b9fe28b065eed10cb62cd24ea3a24c9ae2edada1aa67f2ce9dc5f580d452da08049ce2912225d6730a2b5493c099501f4e1724d66de7b310c53d6ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA54.tmp

Filesize
671KB

MD5
6d3aeb3b9ddbbc1e583ac9f259aeff6b

SHA1
c2c7e3c49cdeff62f7bb4cb2a506eac123722b4b

SHA256
55de7f0d60922e53097a19f6fbfd1aa27f5c551cb367b4228a3a47283230cb8e

SHA512
f43fbf81448dc8510e2adfe11a4a82f52b173980f31055e2bc0521f47fa734d5e5f0bd907aa4fedc729fd0147f6731911d920c9a46c332bb4be9ed0fb3bac0c7

Download Submit
\Users\Admin\AppData\Local\Temp\fyxynue.exe

Filesize
667KB

MD5
427a35df787d628e5edaff1b9ae8b45a

SHA1
2ba133bc4c4571104305d97472b3e043dfe23ceb

SHA256
4bfcb7aa6a56dff4828ece414d61139b921e7b5d9268872ccd9368dd512bed11

SHA512
9af0f1131f0f2e763ecf19c7a1e23649c119c2fdf7beb8688279dbc62ddb1b42d5ac7abc42f640cc9e23dd21538837e05756eda62bde18f42127e11d7636e228

Download Submit
\Users\Admin\AppData\Local\Temp\upqynue.exe

Filesize
397KB

MD5
c652d31d382e7dfb5e0bdc7c78ed3817

SHA1
62908c4c761b3aa686c3efdf3116b082940a1330

SHA256
6727ea4775389b9f98632c555f34973d82ebf8f5ee0dbfaa4d38e63a253c2484

SHA512
e2388f97b9fe28b065eed10cb62cd24ea3a24c9ae2edada1aa67f2ce9dc5f580d452da08049ce2912225d6730a2b5493c099501f4e1724d66de7b310c53d6ca4

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA54.tmp

Filesize
671KB

MD5
6d3aeb3b9ddbbc1e583ac9f259aeff6b

SHA1
c2c7e3c49cdeff62f7bb4cb2a506eac123722b4b

SHA256
55de7f0d60922e53097a19f6fbfd1aa27f5c551cb367b4228a3a47283230cb8e

SHA512
f43fbf81448dc8510e2adfe11a4a82f52b173980f31055e2bc0521f47fa734d5e5f0bd907aa4fedc729fd0147f6731911d920c9a46c332bb4be9ed0fb3bac0c7

Download Submit
memory/296-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/296-78-0x0000000003550000-0x000000000368E000-memory.dmp

Filesize
1.2MB

Download
memory/296-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1468-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1468-69-0x0000000001E80000-0x0000000001F5E000-memory.dmp

Filesize
888KB

Download
memory/1468-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1672-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1688-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1688-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download