ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d

Analysis

max time kernel
155s
max time network
110s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe
Size

655KB
MD5

4b4ad882aadc4a9e2fb76c2d2029ce90
SHA1

c9c4fd14cb7bd844f599aee25d951058ebc91278
SHA256

ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d
SHA512

0402b51724586a366931772ee28e9b7b98663c346b41036f403219871c3d4426b2dadbdf34c76af6314b72bb0f736f361b44f1b6e06ffb00ce72ea654f9e36e5
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

hilaqoh.exe~DFA75.tmppizorth.exe

pid process

576 hilaqoh.exe
856 ~DFA75.tmp
1568 pizorth.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

676 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exehilaqoh.exe~DFA75.tmp

pid process

1876 ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe
576 hilaqoh.exe
856 ~DFA75.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
576	hilaqoh.exe
856	~DFA75.tmp
1568	pizorth.exe

pid	process
676	cmd.exe

pid	process
1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe
576	hilaqoh.exe
856	~DFA75.tmp

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

pizorth.exe

pid	process
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe
1568	pizorth.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA75.tmp

description pid process

Token: SeDebugPrivilege 856 ~DFA75.tmp

description	pid	process
Token: SeDebugPrivilege	856	~DFA75.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exehilaqoh.exe~DFA75.tmp

description	pid	process	target process
PID 1876 wrote to memory of 576	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	hilaqoh.exe
PID 1876 wrote to memory of 576	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	hilaqoh.exe
PID 1876 wrote to memory of 576	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	hilaqoh.exe
PID 1876 wrote to memory of 576	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	hilaqoh.exe
PID 576 wrote to memory of 856	576	hilaqoh.exe	~DFA75.tmp
PID 576 wrote to memory of 856	576	hilaqoh.exe	~DFA75.tmp
PID 576 wrote to memory of 856	576	hilaqoh.exe	~DFA75.tmp
PID 576 wrote to memory of 856	576	hilaqoh.exe	~DFA75.tmp
PID 1876 wrote to memory of 676	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	cmd.exe
PID 1876 wrote to memory of 676	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	cmd.exe
PID 1876 wrote to memory of 676	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	cmd.exe
PID 1876 wrote to memory of 676	1876	ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe	cmd.exe
PID 856 wrote to memory of 1568	856	~DFA75.tmp	pizorth.exe
PID 856 wrote to memory of 1568	856	~DFA75.tmp	pizorth.exe
PID 856 wrote to memory of 1568	856	~DFA75.tmp	pizorth.exe
PID 856 wrote to memory of 1568	856	~DFA75.tmp	pizorth.exe

C:\Users\Admin\AppData\Local\Temp\ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe
"C:\Users\Admin\AppData\Local\Temp\ffb4c48cb096cf85e4f99b717d75e76781feabdedc4d572335a6f5420b0c718d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\hilaqoh.exe
C:\Users\Admin\AppData\Local\Temp\hilaqoh.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\~DFA75.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA75.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\pizorth.exe
"C:\Users\Admin\AppData\Local\Temp\pizorth.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
8525d2f112e17de4f932510351242657

SHA1
7bb321c9325c4a51cf93ebfa5d355c7ca71a5e3d

SHA256
2632576c3d097bbcec99946df9ad4a993b7cfe6e328887dae8b1925961b2c5d4

SHA512
bf15c02af3be2bbe7dc9ca8ccf633ea5e3556e52817e75e13c71bdcc97ce4d461b43b344063132e3907dc6d065cf76644c79381063ef3fd411fe6acc48f2ea83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
65cd63635ef80f37746be96fd2adb8a8

SHA1
de064d870163cfd2341e46d29b72baff3162b8a0

SHA256
6e36c453a1cdb076be98fe26cdd54d24c84c15026b2e88072ce093253939a1b9

SHA512
97ee37150b750cb553d1a3674d5cfe2f1531778f2f7f239d35f551b14381319eadd19cc40fb46a8327cb42e0d6b24c0b477bfbf4245b5be3091edcad2e0f3a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hilaqoh.exe
Filesize
662KB

MD5
ff6be29862e5bfe859f64d5c618f2909

SHA1
c55dd6791b67b4c30a348510b4e7a44b73e0b2fe

SHA256
6a5a7f2216c0b431d413b2255ce48a5c6179221c3bd910313895ca9420d19a5a

SHA512
59537bfddbf843d002f9c7ea4df21711ff73473ad1b575ba3e6fc7b76cd8682dfb5473523d1b898f87fd65b49b5d7278bc4964bacc62a58897132c283ca337af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hilaqoh.exe
Filesize
662KB

MD5
ff6be29862e5bfe859f64d5c618f2909

SHA1
c55dd6791b67b4c30a348510b4e7a44b73e0b2fe

SHA256
6a5a7f2216c0b431d413b2255ce48a5c6179221c3bd910313895ca9420d19a5a

SHA512
59537bfddbf843d002f9c7ea4df21711ff73473ad1b575ba3e6fc7b76cd8682dfb5473523d1b898f87fd65b49b5d7278bc4964bacc62a58897132c283ca337af

Download Submit
C:\Users\Admin\AppData\Local\Temp\pizorth.exe
Filesize
389KB

MD5
03b12f1a6f016fd8b6755ab41d8ee33b

SHA1
a60f5b2d10ba62177d724a2adb31e01b1464fb62

SHA256
1d5a6dc42acb3f7ddf2cc77cb9b9e782c9b6900db2bc4ac84af5cbc50fd91aa9

SHA512
b18a917e3e6a89906523cd63c6a084ecb2e5ca3537f5581d7041a873a41cf6a756187395ff6fae1316ae755b4ebe08b529be5c18d29e3b4b77e5076f17377b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA75.tmp
Filesize
669KB

MD5
8b966561f4a864ca9aa9135151fae08a

SHA1
4940f9acb9280757702e901268e5787111bbeb60

SHA256
a2fe34e7386ac24fef3abfb34bced7f02c712257b2a920289ba082486b988697

SHA512
f6953fd72cac73fd1c707309d556f1887746727cc66e77f102b57b9b75868c5b11c4f737c55c7138aa3eb2ea5207c7df5cc144aff7ad96794bd6e6abb86f8928

Download Submit
\Users\Admin\AppData\Local\Temp\hilaqoh.exe
Filesize
662KB

MD5
ff6be29862e5bfe859f64d5c618f2909

SHA1
c55dd6791b67b4c30a348510b4e7a44b73e0b2fe

SHA256
6a5a7f2216c0b431d413b2255ce48a5c6179221c3bd910313895ca9420d19a5a

SHA512
59537bfddbf843d002f9c7ea4df21711ff73473ad1b575ba3e6fc7b76cd8682dfb5473523d1b898f87fd65b49b5d7278bc4964bacc62a58897132c283ca337af

Download Submit
\Users\Admin\AppData\Local\Temp\pizorth.exe
Filesize
389KB

MD5
03b12f1a6f016fd8b6755ab41d8ee33b

SHA1
a60f5b2d10ba62177d724a2adb31e01b1464fb62

SHA256
1d5a6dc42acb3f7ddf2cc77cb9b9e782c9b6900db2bc4ac84af5cbc50fd91aa9

SHA512
b18a917e3e6a89906523cd63c6a084ecb2e5ca3537f5581d7041a873a41cf6a756187395ff6fae1316ae755b4ebe08b529be5c18d29e3b4b77e5076f17377b59

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA75.tmp
Filesize
669KB

MD5
8b966561f4a864ca9aa9135151fae08a

SHA1
4940f9acb9280757702e901268e5787111bbeb60

SHA256
a2fe34e7386ac24fef3abfb34bced7f02c712257b2a920289ba082486b988697

SHA512
f6953fd72cac73fd1c707309d556f1887746727cc66e77f102b57b9b75868c5b11c4f737c55c7138aa3eb2ea5207c7df5cc144aff7ad96794bd6e6abb86f8928

Download Submit
memory/576-57-0x0000000000000000-mapping.dmp

Download
memory/576-71-0x0000000002C10000-0x0000000002CEE000-memory.dmp

Filesize
888KB

Download
memory/576-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/576-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/676-64-0x0000000000000000-mapping.dmp

Download
memory/856-63-0x0000000000000000-mapping.dmp

Download
memory/856-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/856-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/856-79-0x0000000003540000-0x000000000367E000-memory.dmp

Filesize
1.2MB

Download
memory/1568-76-0x0000000000000000-mapping.dmp

Download
memory/1568-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1876-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1876-68-0x0000000000710000-0x00000000007EE000-memory.dmp

Filesize
888KB

Download
memory/1876-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1876-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download