96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556

Analysis

max time kernel
152s
max time network
115s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
Size

665KB
MD5

43ca547f881150b8e18d1676a16c1100
SHA1

09314465965e9c5af1722939f8d9dab4a13dae08
SHA256

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556
SHA512

aff07796ce504f5c1f403016088350b66db8a9c69a76dee74da7b141b25cfb35cb6194e208cc3a5bcb8b4243714ad2984c08f8f36856ed5c9766a52adc399f91
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

luzuoxw.exe~DFA7C.tmpkoriibf.exe

pid process

1988 luzuoxw.exe
568 ~DFA7C.tmp
1512 koriibf.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1108 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exeluzuoxw.exe~DFA7C.tmp

pid process

2044 96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
1988 luzuoxw.exe
568 ~DFA7C.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1988	luzuoxw.exe
568	~DFA7C.tmp
1512	koriibf.exe

pid	process
1108	cmd.exe

pid	process
2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
1988	luzuoxw.exe
568	~DFA7C.tmp

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

koriibf.exe

pid	process
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe
1512	koriibf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA7C.tmp

description pid process

Token: SeDebugPrivilege 568 ~DFA7C.tmp

description	pid	process
Token: SeDebugPrivilege	568	~DFA7C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exeluzuoxw.exe~DFA7C.tmp

description	pid	process	target process
PID 2044 wrote to memory of 1988	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	luzuoxw.exe
PID 2044 wrote to memory of 1988	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	luzuoxw.exe
PID 2044 wrote to memory of 1988	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	luzuoxw.exe
PID 2044 wrote to memory of 1988	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	luzuoxw.exe
PID 1988 wrote to memory of 568	1988	luzuoxw.exe	~DFA7C.tmp
PID 1988 wrote to memory of 568	1988	luzuoxw.exe	~DFA7C.tmp
PID 1988 wrote to memory of 568	1988	luzuoxw.exe	~DFA7C.tmp
PID 1988 wrote to memory of 568	1988	luzuoxw.exe	~DFA7C.tmp
PID 2044 wrote to memory of 1108	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 2044 wrote to memory of 1108	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 2044 wrote to memory of 1108	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 2044 wrote to memory of 1108	2044	96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe	cmd.exe
PID 568 wrote to memory of 1512	568	~DFA7C.tmp	koriibf.exe
PID 568 wrote to memory of 1512	568	~DFA7C.tmp	koriibf.exe
PID 568 wrote to memory of 1512	568	~DFA7C.tmp	koriibf.exe
PID 568 wrote to memory of 1512	568	~DFA7C.tmp	koriibf.exe

C:\Users\Admin\AppData\Local\Temp\96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe
"C:\Users\Admin\AppData\Local\Temp\96fa4b8ebcc635d8103477f89720ccdd20165f80a21f996c4a5d63eacf819556.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\luzuoxw.exe
C:\Users\Admin\AppData\Local\Temp\luzuoxw.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\koriibf.exe
"C:\Users\Admin\AppData\Local\Temp\koriibf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
495d08835a4143b554073d082520e9e6

SHA1
3c32edc94fb1e54c4a3c1f4a5ea9e8b42a4f7937

SHA256
57f55c757c9dfb109b4c53471f00c968ba6cf5871c80ca3321f47de908bbe75c

SHA512
f20a5816595f2e42afe8dca319ef9a6b6ab32b625ebbdb79caf1d38674982560a1d602223434aec097dadd12deaafbe02c6a338676047bbcd8638505124895d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
94fdf0b86d7c89d9df164b8e1c817062

SHA1
7ae3888af650d3c6f06ebd38b7ce65013d58a135

SHA256
5b793b833371bf0265b69eceac9025fbfd43a4ae931cde99f4dbdd1b60cc5c48

SHA512
2c723f7bc80fe231eb7a3b521c1576b574801535c0c8d63112cefa7d99b2d76e719de559af24db7c56a15c686aaf22da1dbd590ecb0490f1b8bbe0f62574fe09

Download Submit
C:\Users\Admin\AppData\Local\Temp\koriibf.exe
Filesize
393KB

MD5
8889062e0cd5385ed815ef095f7227ba

SHA1
7c6968ddef216051e69e6c5b9c742e4aa3c5fb39

SHA256
599863294b229898b485359f37fb8aba9583d7f35e2b5523f83eb64aabb42085

SHA512
a2fd91151b036ca4167cdaa636db1bb8cb0305b604418d9ac91fdac3b92d3450f6dd160fb0ff4df234a948d755fbf422cf89cc3f25fab710d5f0b8a19a4690b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\luzuoxw.exe
Filesize
669KB

MD5
8026590d3a4eb6cb85309edce6ff1afa

SHA1
02681566f06593e0fe549761f34beea0a4f291e1

SHA256
0d791250c4405a81cc798c5a8cf88389110af0c5ff2f0c0f1086aff29ea62471

SHA512
f16bf7d633d23fbade8ee9c7c67eb7cca2c7bb50a90fdf1a4cb9429a4ed270ccf20b6a85947a3280ff811d53d51385c3956f788931b32721aeeaba171f461e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\luzuoxw.exe
Filesize
669KB

MD5
8026590d3a4eb6cb85309edce6ff1afa

SHA1
02681566f06593e0fe549761f34beea0a4f291e1

SHA256
0d791250c4405a81cc798c5a8cf88389110af0c5ff2f0c0f1086aff29ea62471

SHA512
f16bf7d633d23fbade8ee9c7c67eb7cca2c7bb50a90fdf1a4cb9429a4ed270ccf20b6a85947a3280ff811d53d51385c3956f788931b32721aeeaba171f461e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
673KB

MD5
22b5875f1264d767004367ebefe66d42

SHA1
ad226c679a11c93b6b3c392e9b3dcdfe358c6795

SHA256
2f1ab9ba3ab54fe3736c666ba830d5803d067b49ad6f7009fe82c60cb1e19bc5

SHA512
9f566212b4b166d8fd257c5aed55ec1916f5e0012dcda1d9f91d0d02ffa9a2eb5a8290ed87d789610280bb8710361ee1e9242c194c744f034b535844e22efd52

Download Submit
\Users\Admin\AppData\Local\Temp\koriibf.exe
Filesize
393KB

MD5
8889062e0cd5385ed815ef095f7227ba

SHA1
7c6968ddef216051e69e6c5b9c742e4aa3c5fb39

SHA256
599863294b229898b485359f37fb8aba9583d7f35e2b5523f83eb64aabb42085

SHA512
a2fd91151b036ca4167cdaa636db1bb8cb0305b604418d9ac91fdac3b92d3450f6dd160fb0ff4df234a948d755fbf422cf89cc3f25fab710d5f0b8a19a4690b5

Download Submit
\Users\Admin\AppData\Local\Temp\luzuoxw.exe
Filesize
669KB

MD5
8026590d3a4eb6cb85309edce6ff1afa

SHA1
02681566f06593e0fe549761f34beea0a4f291e1

SHA256
0d791250c4405a81cc798c5a8cf88389110af0c5ff2f0c0f1086aff29ea62471

SHA512
f16bf7d633d23fbade8ee9c7c67eb7cca2c7bb50a90fdf1a4cb9429a4ed270ccf20b6a85947a3280ff811d53d51385c3956f788931b32721aeeaba171f461e69

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
673KB

MD5
22b5875f1264d767004367ebefe66d42

SHA1
ad226c679a11c93b6b3c392e9b3dcdfe358c6795

SHA256
2f1ab9ba3ab54fe3736c666ba830d5803d067b49ad6f7009fe82c60cb1e19bc5

SHA512
9f566212b4b166d8fd257c5aed55ec1916f5e0012dcda1d9f91d0d02ffa9a2eb5a8290ed87d789610280bb8710361ee1e9242c194c744f034b535844e22efd52

Download Submit
memory/568-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/568-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/568-63-0x0000000000000000-mapping.dmp

Download
memory/568-77-0x0000000003840000-0x000000000397E000-memory.dmp

Filesize
1.2MB

Download
memory/1108-66-0x0000000000000000-mapping.dmp

Download
memory/1512-74-0x0000000000000000-mapping.dmp

Download
memory/1512-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1988-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/2044-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-68-0x0000000001E00000-0x0000000001EDE000-memory.dmp

Filesize
888KB

Download
memory/2044-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download