a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994

Analysis

max time kernel
187s
max time network
113s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe
Size

556KB
MD5

52e60667b34d1db6735181e263b7aa20
SHA1

4c8ee87efc4548e14b9709d25cd2d54e8ee623cb
SHA256

a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994
SHA512

414a1a8dbdfdade2e539b1505bd44864b226eb27a07efe2e7c4cda1d82c259941561d690d962ad25450587e44d9ed0d9dfb7db60b3c1bcae0cbc0d30316cda74
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

oqtovop.exe~DFA7E.tmptywopop.exe

pid process

2012 oqtovop.exe
520 ~DFA7E.tmp
1668 tywopop.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1428 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exeoqtovop.exe~DFA7E.tmp

pid process

1724 a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe
2012 oqtovop.exe
520 ~DFA7E.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2012	oqtovop.exe
520	~DFA7E.tmp
1668	tywopop.exe

pid	process
1428	cmd.exe

pid	process
1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe
2012	oqtovop.exe
520	~DFA7E.tmp

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

tywopop.exe

pid	process
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe
1668	tywopop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA7E.tmp

description pid process

Token: SeDebugPrivilege 520 ~DFA7E.tmp

description	pid	process
Token: SeDebugPrivilege	520	~DFA7E.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exeoqtovop.exe~DFA7E.tmp

description	pid	process	target process
PID 1724 wrote to memory of 2012	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	oqtovop.exe
PID 1724 wrote to memory of 2012	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	oqtovop.exe
PID 1724 wrote to memory of 2012	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	oqtovop.exe
PID 1724 wrote to memory of 2012	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	oqtovop.exe
PID 2012 wrote to memory of 520	2012	oqtovop.exe	~DFA7E.tmp
PID 2012 wrote to memory of 520	2012	oqtovop.exe	~DFA7E.tmp
PID 2012 wrote to memory of 520	2012	oqtovop.exe	~DFA7E.tmp
PID 2012 wrote to memory of 520	2012	oqtovop.exe	~DFA7E.tmp
PID 1724 wrote to memory of 1428	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	cmd.exe
PID 1724 wrote to memory of 1428	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	cmd.exe
PID 1724 wrote to memory of 1428	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	cmd.exe
PID 1724 wrote to memory of 1428	1724	a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe	cmd.exe
PID 520 wrote to memory of 1668	520	~DFA7E.tmp	tywopop.exe
PID 520 wrote to memory of 1668	520	~DFA7E.tmp	tywopop.exe
PID 520 wrote to memory of 1668	520	~DFA7E.tmp	tywopop.exe
PID 520 wrote to memory of 1668	520	~DFA7E.tmp	tywopop.exe

C:\Users\Admin\AppData\Local\Temp\a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe
"C:\Users\Admin\AppData\Local\Temp\a6f488af5be85b0b332e075c1cf94bc908188b5f8cc9da5178f204789faff994.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\oqtovop.exe
  C:\Users\Admin\AppData\Local\Temp\oqtovop.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\~DFA7E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA7E.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\tywopop.exe
      "C:\Users\Admin\AppData\Local\Temp\tywopop.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
acb5b02012f2c1aee5a95e2dd74038e0

SHA1
2b8947533e3fe1abd6859ac4ef837e66f2b282a4

SHA256
d153b40bd946e276d006a6fdf8de1f39ddf23a59b5be48a7baa125e1a3e03186

SHA512
d694b14e8d2766cbe04e85bb15965ea652d299731834be8adfcc0ae4b642fee17fb9169982191e3ee719609abf6b687759f761e4d7a256b10791b15c50b23338

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
af84a7bf5649553c12458061cfddad6b

SHA1
935e6b95815e8c9a46d36feae191c0e4db79d2de

SHA256
d85ba0a91c4edce209af2ad9360ffb30765e135eb8e2c484c7193bb39e92d6a9

SHA512
284b2b33d6273a301fa0c1df15a480af41d4351b4d3ed9f85a937efd61acb0e7410cdbf94e65e6d136f88890352f49253a41b2e5851895254b98e0389005e1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqtovop.exe

Filesize
562KB

MD5
41f8493595330f621fed4e9da7f080aa

SHA1
7a1895adf1c3002b98cf22c9ab25840d4a4b5fde

SHA256
05f7e120f32cfd478fc6ee90a2a58db03027969a57a1897c2fd73e834080fd6d

SHA512
2531202f7b4871c4698a081e639ebe05fb7dcabb35cc4038df95788ead2ce82f2f9b9116324c5c0a4280920bbde8984f5f5739a46e4f474c15a41653fc4163dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqtovop.exe

Filesize
562KB

MD5
41f8493595330f621fed4e9da7f080aa

SHA1
7a1895adf1c3002b98cf22c9ab25840d4a4b5fde

SHA256
05f7e120f32cfd478fc6ee90a2a58db03027969a57a1897c2fd73e834080fd6d

SHA512
2531202f7b4871c4698a081e639ebe05fb7dcabb35cc4038df95788ead2ce82f2f9b9116324c5c0a4280920bbde8984f5f5739a46e4f474c15a41653fc4163dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tywopop.exe

Filesize
403KB

MD5
bd0a297b8489cf98f06a12ad0231ed34

SHA1
255d32b9b0fc418200dd1361a1729f768f3fcd54

SHA256
9c2105c64f907065b19c2b31a2c5b393daccfa54d1d7398b31ca8ec5a4a3a17e

SHA512
0513d41eb9ed324d5a1bce21abd95cf01d13a8af4846e76cddedb1f152f4dafaf7ae487d0e0d6538facb331f569f0ca82600f77f258b3414082e6e10fab01982

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7E.tmp

Filesize
569KB

MD5
349cec268f9b1c8a9f4fe504f6946424

SHA1
e9b06056fcf97c1f43a91f729c7b01375a3c9c53

SHA256
c3404bee7174aaf8ca8f53ea0a65541beea29bd4e14ee16aead0596b3d744678

SHA512
4a4c3f17232ef0628877521553f7bad16c63325735fa569f90405760b0a69cb33500d051d918e85ffe9b70c4c0bf6a3c92067d4f453db5365542d863bd15743b

Download Submit
\Users\Admin\AppData\Local\Temp\oqtovop.exe

Filesize
562KB

MD5
41f8493595330f621fed4e9da7f080aa

SHA1
7a1895adf1c3002b98cf22c9ab25840d4a4b5fde

SHA256
05f7e120f32cfd478fc6ee90a2a58db03027969a57a1897c2fd73e834080fd6d

SHA512
2531202f7b4871c4698a081e639ebe05fb7dcabb35cc4038df95788ead2ce82f2f9b9116324c5c0a4280920bbde8984f5f5739a46e4f474c15a41653fc4163dd

Download Submit
\Users\Admin\AppData\Local\Temp\tywopop.exe

Filesize
403KB

MD5
bd0a297b8489cf98f06a12ad0231ed34

SHA1
255d32b9b0fc418200dd1361a1729f768f3fcd54

SHA256
9c2105c64f907065b19c2b31a2c5b393daccfa54d1d7398b31ca8ec5a4a3a17e

SHA512
0513d41eb9ed324d5a1bce21abd95cf01d13a8af4846e76cddedb1f152f4dafaf7ae487d0e0d6538facb331f569f0ca82600f77f258b3414082e6e10fab01982

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA7E.tmp

Filesize
569KB

MD5
349cec268f9b1c8a9f4fe504f6946424

SHA1
e9b06056fcf97c1f43a91f729c7b01375a3c9c53

SHA256
c3404bee7174aaf8ca8f53ea0a65541beea29bd4e14ee16aead0596b3d744678

SHA512
4a4c3f17232ef0628877521553f7bad16c63325735fa569f90405760b0a69cb33500d051d918e85ffe9b70c4c0bf6a3c92067d4f453db5365542d863bd15743b

Download Submit
memory/520-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/520-65-0x0000000000000000-mapping.dmp

Download
memory/520-78-0x0000000003740000-0x000000000387E000-memory.dmp

Filesize
1.2MB

Download
memory/520-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1428-67-0x0000000000000000-mapping.dmp

Download
memory/1668-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1668-75-0x0000000000000000-mapping.dmp

Download
memory/1724-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1724-62-0x0000000001EE0000-0x0000000001FBE000-memory.dmp

Filesize
888KB

Download
memory/1724-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2012-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download