9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17

Analysis

max time kernel
192s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
Size

599KB
MD5

4f4b7526252b7b78dc29e3bcf0f48c50
SHA1

b6c68f1a1671401e0e3fcb3198f408feee12f961
SHA256

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17
SHA512

91c4c137cc606ea1b907f56bca6dfb4f49ca0743da58fa73f2814d21ffb51de20c475eb90cbe523fe3bb2ebed9947dd113118ec8b43c1207a9cbee716728a4fa
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

gouxzay.exe~DFA90.tmpgenosoo.exe

pid process

1940 gouxzay.exe
984 ~DFA90.tmp
1644 genosoo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

908 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exegouxzay.exe~DFA90.tmp

pid process

1880 9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
1940 gouxzay.exe
984 ~DFA90.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1940	gouxzay.exe
984	~DFA90.tmp
1644	genosoo.exe

pid	process
908	cmd.exe

pid	process
1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
1940	gouxzay.exe
984	~DFA90.tmp

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

genosoo.exe

pid	process
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe
1644	genosoo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA90.tmp

description pid process

Token: SeDebugPrivilege 984 ~DFA90.tmp

description	pid	process
Token: SeDebugPrivilege	984	~DFA90.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exegouxzay.exe~DFA90.tmp

description	pid	process	target process
PID 1880 wrote to memory of 1940	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	gouxzay.exe
PID 1880 wrote to memory of 1940	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	gouxzay.exe
PID 1880 wrote to memory of 1940	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	gouxzay.exe
PID 1880 wrote to memory of 1940	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	gouxzay.exe
PID 1940 wrote to memory of 984	1940	gouxzay.exe	~DFA90.tmp
PID 1940 wrote to memory of 984	1940	gouxzay.exe	~DFA90.tmp
PID 1940 wrote to memory of 984	1940	gouxzay.exe	~DFA90.tmp
PID 1940 wrote to memory of 984	1940	gouxzay.exe	~DFA90.tmp
PID 1880 wrote to memory of 908	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 1880 wrote to memory of 908	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 1880 wrote to memory of 908	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 1880 wrote to memory of 908	1880	9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe	cmd.exe
PID 984 wrote to memory of 1644	984	~DFA90.tmp	genosoo.exe
PID 984 wrote to memory of 1644	984	~DFA90.tmp	genosoo.exe
PID 984 wrote to memory of 1644	984	~DFA90.tmp	genosoo.exe
PID 984 wrote to memory of 1644	984	~DFA90.tmp	genosoo.exe

C:\Users\Admin\AppData\Local\Temp\9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe
"C:\Users\Admin\AppData\Local\Temp\9d348db48f08b45bd53cd358ca6477f92ca8742feae8fedd914171a6f1c82e17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\gouxzay.exe
C:\Users\Admin\AppData\Local\Temp\gouxzay.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\~DFA90.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA90.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\genosoo.exe
"C:\Users\Admin\AppData\Local\Temp\genosoo.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
f075600f4d8a6af038d8151ae73bcd19

SHA1
ae2ce03ed38ae53e1f83d4fefea5a946224993e1

SHA256
caa77250f79375aa9114d013c6f207decdb33f666f20d1c86be770c093a8a1ea

SHA512
f48eecec864e903f4d31bb5d75cb5f89baf235d0fc73727be40ec801e402d250cacde4c28239fb6852eebc071a409c26a5e16527b09ae5be6463cdc732fdb8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\genosoo.exe
Filesize
387KB

MD5
06e33852205548c0dfc473b40b1d8c39

SHA1
ab350b851211f2945ad047e577df6fab5ae92f7a

SHA256
99a777636121c0a2bd5d219c32f90a2c8c261ead479c0786d4485d382e0034b0

SHA512
c019af48005e6275db8cf95a20a12b80d60e3be481980e04ef9a3df14f65cda913c8288cdc48eff7feb083be0e2ec8bda0ae2aa79cf24ed8b38b46df42033d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
ed5e33df325fb753f8fb752700447f0b

SHA1
eebbaf72d0dcb75196ee6b0e02c55fdbad72c4d4

SHA256
350240192e5c5460dfa41e0d57893a682ebe97de7681c9c961318fb84ea1699f

SHA512
7ccee4014b97207ad5508d17784dafdeab4dd985e25d750ebab0f2c60598f3e71c2f8c30fe7e7f04c136f791f2cb8852f05fa3894c5cf4ae3c17c43c544fbcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gouxzay.exe
Filesize
602KB

MD5
3681379b50370e926817a2b8f6c4687e

SHA1
267f7f8c9ea10536b912601c4447e31f9d16a187

SHA256
d37beed4b866b55dce87048aa26b907d52e508f5c5e6a07516117e955ef3c805

SHA512
fc9d2c05b37964150798915be195129d8b972abc569750493864941b70cee7bbc47c2c31466eac09ff25a503731cf16d7e0638556d8367001288a466f8eef9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gouxzay.exe
Filesize
602KB

MD5
3681379b50370e926817a2b8f6c4687e

SHA1
267f7f8c9ea10536b912601c4447e31f9d16a187

SHA256
d37beed4b866b55dce87048aa26b907d52e508f5c5e6a07516117e955ef3c805

SHA512
fc9d2c05b37964150798915be195129d8b972abc569750493864941b70cee7bbc47c2c31466eac09ff25a503731cf16d7e0638556d8367001288a466f8eef9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA90.tmp
Filesize
607KB

MD5
b83a6eaa6e45e6621bb31049871b36fe

SHA1
123ead8c2e946f046822dd27a6c68b5b889b4cd9

SHA256
1acb85a2c8fad1f3aa41c80a03f02d755eba7d593541d752f84457390df8548e

SHA512
d535ccc584b56f954c8f509a19607b18d9580255813113f7626c32d1a86733b11040f6a5fc909437164783ac7b8fe44610a63a306f9f82316086375c2bd4af81

Download Submit
\Users\Admin\AppData\Local\Temp\genosoo.exe
Filesize
387KB

MD5
06e33852205548c0dfc473b40b1d8c39

SHA1
ab350b851211f2945ad047e577df6fab5ae92f7a

SHA256
99a777636121c0a2bd5d219c32f90a2c8c261ead479c0786d4485d382e0034b0

SHA512
c019af48005e6275db8cf95a20a12b80d60e3be481980e04ef9a3df14f65cda913c8288cdc48eff7feb083be0e2ec8bda0ae2aa79cf24ed8b38b46df42033d00

Download Submit
\Users\Admin\AppData\Local\Temp\gouxzay.exe
Filesize
602KB

MD5
3681379b50370e926817a2b8f6c4687e

SHA1
267f7f8c9ea10536b912601c4447e31f9d16a187

SHA256
d37beed4b866b55dce87048aa26b907d52e508f5c5e6a07516117e955ef3c805

SHA512
fc9d2c05b37964150798915be195129d8b972abc569750493864941b70cee7bbc47c2c31466eac09ff25a503731cf16d7e0638556d8367001288a466f8eef9d6

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA90.tmp
Filesize
607KB

MD5
b83a6eaa6e45e6621bb31049871b36fe

SHA1
123ead8c2e946f046822dd27a6c68b5b889b4cd9

SHA256
1acb85a2c8fad1f3aa41c80a03f02d755eba7d593541d752f84457390df8548e

SHA512
d535ccc584b56f954c8f509a19607b18d9580255813113f7626c32d1a86733b11040f6a5fc909437164783ac7b8fe44610a63a306f9f82316086375c2bd4af81

Download Submit
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/984-66-0x0000000000000000-mapping.dmp

Download
memory/984-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/984-78-0x00000000038B0000-0x00000000039EE000-memory.dmp

Filesize
1.2MB

Download
memory/984-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1644-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1644-76-0x0000000000000000-mapping.dmp

Download
memory/1880-62-0x0000000001DB0000-0x0000000001E8E000-memory.dmp

Filesize
888KB

Download
memory/1880-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1880-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1880-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1940-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download
memory/1940-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download