96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4

Analysis

max time kernel
152s
max time network
111s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
Size

669KB
MD5

529afe0f51eff7bcf18d7d7f890aa530
SHA1

05d4c07e5bbf4a789fe2458b8a3326b3c2c46674
SHA256

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4
SHA512

e8e49584d91a465612620f6b199ebd328c89fac6dae4c58fd0015b9200c5f2a0b0ed8d042bd55c22278db0289a6032d468b91fd2760ec964d7911c6f4e84f9a4
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ojfuuwj.exe~DFA7C.tmproxevuq.exe

pid process

2044 ojfuuwj.exe
336 ~DFA7C.tmp
888 roxevuq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exeojfuuwj.exe~DFA7C.tmp

pid process

1416 96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
2044 ojfuuwj.exe
336 ~DFA7C.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2044	ojfuuwj.exe
336	~DFA7C.tmp
888	roxevuq.exe

pid	process
560	cmd.exe

pid	process
1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
2044	ojfuuwj.exe
336	~DFA7C.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

roxevuq.exe

pid	process
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe
888	roxevuq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA7C.tmp

description pid process

Token: SeDebugPrivilege 336 ~DFA7C.tmp

description	pid	process
Token: SeDebugPrivilege	336	~DFA7C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exeojfuuwj.exe~DFA7C.tmp

description	pid	process	target process
PID 1416 wrote to memory of 2044	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	ojfuuwj.exe
PID 1416 wrote to memory of 2044	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	ojfuuwj.exe
PID 1416 wrote to memory of 2044	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	ojfuuwj.exe
PID 1416 wrote to memory of 2044	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	ojfuuwj.exe
PID 1416 wrote to memory of 560	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 1416 wrote to memory of 560	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 1416 wrote to memory of 560	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 1416 wrote to memory of 560	1416	96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe	cmd.exe
PID 2044 wrote to memory of 336	2044	ojfuuwj.exe	~DFA7C.tmp
PID 2044 wrote to memory of 336	2044	ojfuuwj.exe	~DFA7C.tmp
PID 2044 wrote to memory of 336	2044	ojfuuwj.exe	~DFA7C.tmp
PID 2044 wrote to memory of 336	2044	ojfuuwj.exe	~DFA7C.tmp
PID 336 wrote to memory of 888	336	~DFA7C.tmp	roxevuq.exe
PID 336 wrote to memory of 888	336	~DFA7C.tmp	roxevuq.exe
PID 336 wrote to memory of 888	336	~DFA7C.tmp	roxevuq.exe
PID 336 wrote to memory of 888	336	~DFA7C.tmp	roxevuq.exe

C:\Users\Admin\AppData\Local\Temp\96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe
"C:\Users\Admin\AppData\Local\Temp\96befb447a5a953dfcb07acc26d358d2b2511a650c2615408cc6b5c395e291f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\ojfuuwj.exe
C:\Users\Admin\AppData\Local\Temp\ojfuuwj.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\roxevuq.exe
"C:\Users\Admin\AppData\Local\Temp\roxevuq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
f90647b585a14bc8e53385e97a57256d

SHA1
4ccf8491dfc83b505b2dbf919a381e5137ee9adb

SHA256
600e5c4928fee287d45c6f2918d4d85edb0353abbb6f65505c2aba74b9f54823

SHA512
7af79912b6047f68bd469885dc39f67422a762080ec0b702a7b21b6b9560e35b8c744d75361eed08233f26ab9cf63a838c4fbe8cbc25567defe9eb4673af77ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
39677a7bdf5933e1668b06d494f2d961

SHA1
90dc78c06aba8d1c42e8825eaa3cd1ecfd57863a

SHA256
efdbfd27e24db94bd10773c16f14c9687f433da05badb99ea1e53f5991cb169d

SHA512
2cc12cc28c372c0c764d7e8831dab2a51d134d7876cb7d57ee03ee87280d03fc11cd49a84f9d61977cdfed233974925524037057cba94d2f908b32df27c163cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojfuuwj.exe
Filesize
673KB

MD5
ba700ae0674e2d8a781e6a766b06fd8d

SHA1
861b863a540abd0b7b40013d21d52eb3eed29a8c

SHA256
637c68c74a1e04495542ad39daf22bc432f75928cf68d423f9080607595e1f9e

SHA512
bdf94a678d65f09790df74fdf531bacdc3f16e87316eb7cca9626d3e0ba2d0ae11f5b8ebb482a16902e082975e3f7d27c1c6880f9d5c5f2412d3cc5f920e20b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojfuuwj.exe
Filesize
673KB

MD5
ba700ae0674e2d8a781e6a766b06fd8d

SHA1
861b863a540abd0b7b40013d21d52eb3eed29a8c

SHA256
637c68c74a1e04495542ad39daf22bc432f75928cf68d423f9080607595e1f9e

SHA512
bdf94a678d65f09790df74fdf531bacdc3f16e87316eb7cca9626d3e0ba2d0ae11f5b8ebb482a16902e082975e3f7d27c1c6880f9d5c5f2412d3cc5f920e20b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxevuq.exe
Filesize
373KB

MD5
04998437bbc5013e8ab2b8586ccef781

SHA1
3ce40e38e424c24620a300cc0173d2bc3b621f01

SHA256
88f613a4792d6ba97b0a3847a6f3faabe6735f69668ecccbd327c7bae2b87baf

SHA512
ec83f48f463aaeca614515c3b7e167e9558bdde88f7f5e8825eeb8af89d1dd8a56ef9e66b14018edf2322a57a2a4fb447e5bda634ab2646110e8042649705f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
677KB

MD5
0bb0544ed6ca3ff172d9455476dddbfb

SHA1
eb650829fcfe3306092daec2d4a10b657c3677c7

SHA256
141a9e65a3f46c011e618e6847ebe14dcb6e2cdb17a50b0b4c8fd0aae1e3e877

SHA512
975764073c3add1a966fe465e0eb753b30c2fe96c4e95e4dcb1c7e39e4158c170851fdfaf0aaff7b4a838f6f231e1cd6d803490b945524fd816cea40c72e36e7

Download Submit
\Users\Admin\AppData\Local\Temp\ojfuuwj.exe
Filesize
673KB

MD5
ba700ae0674e2d8a781e6a766b06fd8d

SHA1
861b863a540abd0b7b40013d21d52eb3eed29a8c

SHA256
637c68c74a1e04495542ad39daf22bc432f75928cf68d423f9080607595e1f9e

SHA512
bdf94a678d65f09790df74fdf531bacdc3f16e87316eb7cca9626d3e0ba2d0ae11f5b8ebb482a16902e082975e3f7d27c1c6880f9d5c5f2412d3cc5f920e20b8

Download Submit
\Users\Admin\AppData\Local\Temp\roxevuq.exe
Filesize
373KB

MD5
04998437bbc5013e8ab2b8586ccef781

SHA1
3ce40e38e424c24620a300cc0173d2bc3b621f01

SHA256
88f613a4792d6ba97b0a3847a6f3faabe6735f69668ecccbd327c7bae2b87baf

SHA512
ec83f48f463aaeca614515c3b7e167e9558bdde88f7f5e8825eeb8af89d1dd8a56ef9e66b14018edf2322a57a2a4fb447e5bda634ab2646110e8042649705f85

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
677KB

MD5
0bb0544ed6ca3ff172d9455476dddbfb

SHA1
eb650829fcfe3306092daec2d4a10b657c3677c7

SHA256
141a9e65a3f46c011e618e6847ebe14dcb6e2cdb17a50b0b4c8fd0aae1e3e877

SHA512
975764073c3add1a966fe465e0eb753b30c2fe96c4e95e4dcb1c7e39e4158c170851fdfaf0aaff7b4a838f6f231e1cd6d803490b945524fd816cea40c72e36e7

Download Submit
memory/336-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/336-66-0x0000000000000000-mapping.dmp

Download
memory/336-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/336-77-0x0000000003460000-0x000000000359E000-memory.dmp

Filesize
1.2MB

Download
memory/560-60-0x0000000000000000-mapping.dmp

Download
memory/888-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/888-75-0x0000000000000000-mapping.dmp

Download
memory/1416-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1416-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1416-69-0x0000000001F20000-0x0000000001FFE000-memory.dmp

Filesize
888KB

Download
memory/1416-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2044-57-0x0000000000000000-mapping.dmp

Download
memory/2044-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download