f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5

Analysis

max time kernel
151s
max time network
134s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
Size

678KB
MD5

57cc347ccb692e8ee2a8a646a1e357f0
SHA1

64d06fcc42b66cb0395d3acd2defb2ffe630a069
SHA256

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5
SHA512

796aac260edbd09d651213c961cbd34a4ae661ed4f7f46db6913b19b87861806083c8e4e594d8bedf9c7bf2497fb2852afbc74e21588f8ed13d4be311e2635ef
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

lazuzyj.exe~DFA6B.tmptytugyj.exe

pid process

1076 lazuzyj.exe
1508 ~DFA6B.tmp
1632 tytugyj.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

636 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exelazuzyj.exe~DFA6B.tmp

pid process

2016 f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
1076 lazuzyj.exe
1508 ~DFA6B.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1076	lazuzyj.exe
1508	~DFA6B.tmp
1632	tytugyj.exe

pid	process
636	cmd.exe

pid	process
2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
1076	lazuzyj.exe
1508	~DFA6B.tmp

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

tytugyj.exe

pid	process
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe
1632	tytugyj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA6B.tmp

description pid process

Token: SeDebugPrivilege 1508 ~DFA6B.tmp

description	pid	process
Token: SeDebugPrivilege	1508	~DFA6B.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exelazuzyj.exe~DFA6B.tmp

description	pid	process	target process
PID 2016 wrote to memory of 1076	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	lazuzyj.exe
PID 2016 wrote to memory of 1076	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	lazuzyj.exe
PID 2016 wrote to memory of 1076	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	lazuzyj.exe
PID 2016 wrote to memory of 1076	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	lazuzyj.exe
PID 2016 wrote to memory of 636	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 2016 wrote to memory of 636	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 2016 wrote to memory of 636	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 2016 wrote to memory of 636	2016	f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe	cmd.exe
PID 1076 wrote to memory of 1508	1076	lazuzyj.exe	~DFA6B.tmp
PID 1076 wrote to memory of 1508	1076	lazuzyj.exe	~DFA6B.tmp
PID 1076 wrote to memory of 1508	1076	lazuzyj.exe	~DFA6B.tmp
PID 1076 wrote to memory of 1508	1076	lazuzyj.exe	~DFA6B.tmp
PID 1508 wrote to memory of 1632	1508	~DFA6B.tmp	tytugyj.exe
PID 1508 wrote to memory of 1632	1508	~DFA6B.tmp	tytugyj.exe
PID 1508 wrote to memory of 1632	1508	~DFA6B.tmp	tytugyj.exe
PID 1508 wrote to memory of 1632	1508	~DFA6B.tmp	tytugyj.exe

C:\Users\Admin\AppData\Local\Temp\f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe
"C:\Users\Admin\AppData\Local\Temp\f7de28e89a65b8cdd88710f562f8cedd392f04e5cfb2c717cfbeeb847f0286f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\lazuzyj.exe
C:\Users\Admin\AppData\Local\Temp\lazuzyj.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\tytugyj.exe
"C:\Users\Admin\AppData\Local\Temp\tytugyj.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
b2f9f55f99dc7aa2bdd62d8f0afa85f4

SHA1
69f322bc72f6fa6f9127578c6407143f583b9a40

SHA256
af91ee3bd6552d8c48698906c7e68b0339e938f70f645621aed4546d0d26a8b4

SHA512
0dfe2b2392977c726a84da0165e6a48f77c6555c49af0e26c99b9ccce397355f4367f5ec69ffbd63e769fb5b1854463df2264a4e914f1f5a41bffc59f6387c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
91d1c54c49aa13911e19fd944a7e6fb1

SHA1
3b207ec57c1961c757ff824867ada4751eaedc20

SHA256
edd60f3ae44667f4a09cbf8f783c3d344c19c520a7de1ae015b200c436e59b53

SHA512
78f5e813dbd34b8dffbc26c96648f513b301895c869c377b6e19aef0d29c2adf1b8555cc1078ab12e8c306992c7903f2c494e95c34606f6993cd3bd7693cca2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lazuzyj.exe

Filesize
685KB

MD5
3303fa41d6314d0c24c66b6b7962a5a3

SHA1
af1dafb4718556e0f8083352c9182b2552b7975e

SHA256
4d36ac6c805af8299759b9438654596fafd784cabfca2a24222454fda031a5e3

SHA512
9b63704c2b98a8d075db924942b89c4a39d258aa896aaebfa6c9666fb793bc526c28eb6ce22620993677576d6179c5142428ed01898d44901522c8798faa6389

Download Submit
C:\Users\Admin\AppData\Local\Temp\lazuzyj.exe

Filesize
685KB

MD5
3303fa41d6314d0c24c66b6b7962a5a3

SHA1
af1dafb4718556e0f8083352c9182b2552b7975e

SHA256
4d36ac6c805af8299759b9438654596fafd784cabfca2a24222454fda031a5e3

SHA512
9b63704c2b98a8d075db924942b89c4a39d258aa896aaebfa6c9666fb793bc526c28eb6ce22620993677576d6179c5142428ed01898d44901522c8798faa6389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tytugyj.exe

Filesize
409KB

MD5
d0a38ed7fabc28f5dc1fba54336fd6d6

SHA1
5fb62d23cb074fb0ee5de1f3d8726f08482be43a

SHA256
a9572d928b4312127e71936f9b4f8796dec8108b97c6efbe2680acb1c179b3b2

SHA512
a641d1dfd3c00204dae12e4491736ebf1e7946c38060567e9d67aa82eccc25fbf5956983d6cc4018185654a2a35fafb37cd1b3bde9c126ff673cbe13432d8b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp

Filesize
693KB

MD5
d182dff002cff16f6f6c2394f368d511

SHA1
23bcc2aeb24fc4dace5ffb799aaea029d1d1764d

SHA256
39789947e1ea2f9051e29fa111c6f06727964f14c5c7a701cf19e65e069f68f2

SHA512
92bc9757cdbd885afe64d452a5c08004615ef49602b156c419c6dd0da282a7b6ecf55597d2d87fa0c8c3ae5f26122010cb325508d44e455d9fa1fc07cc9192db

Download Submit
\Users\Admin\AppData\Local\Temp\lazuzyj.exe

Filesize
685KB

MD5
3303fa41d6314d0c24c66b6b7962a5a3

SHA1
af1dafb4718556e0f8083352c9182b2552b7975e

SHA256
4d36ac6c805af8299759b9438654596fafd784cabfca2a24222454fda031a5e3

SHA512
9b63704c2b98a8d075db924942b89c4a39d258aa896aaebfa6c9666fb793bc526c28eb6ce22620993677576d6179c5142428ed01898d44901522c8798faa6389

Download Submit
\Users\Admin\AppData\Local\Temp\tytugyj.exe

Filesize
409KB

MD5
d0a38ed7fabc28f5dc1fba54336fd6d6

SHA1
5fb62d23cb074fb0ee5de1f3d8726f08482be43a

SHA256
a9572d928b4312127e71936f9b4f8796dec8108b97c6efbe2680acb1c179b3b2

SHA512
a641d1dfd3c00204dae12e4491736ebf1e7946c38060567e9d67aa82eccc25fbf5956983d6cc4018185654a2a35fafb37cd1b3bde9c126ff673cbe13432d8b66

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA6B.tmp

Filesize
693KB

MD5
d182dff002cff16f6f6c2394f368d511

SHA1
23bcc2aeb24fc4dace5ffb799aaea029d1d1764d

SHA256
39789947e1ea2f9051e29fa111c6f06727964f14c5c7a701cf19e65e069f68f2

SHA512
92bc9757cdbd885afe64d452a5c08004615ef49602b156c419c6dd0da282a7b6ecf55597d2d87fa0c8c3ae5f26122010cb325508d44e455d9fa1fc07cc9192db

Download Submit
memory/636-63-0x0000000000000000-mapping.dmp

Download
memory/1076-57-0x0000000000000000-mapping.dmp

Download
memory/1076-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1508-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1508-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1508-64-0x0000000000000000-mapping.dmp

Download
memory/1508-76-0x0000000003610000-0x000000000374E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-74-0x0000000000000000-mapping.dmp

Download
memory/1632-77-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2016-68-0x0000000001E70000-0x0000000001F4E000-memory.dmp

Filesize
888KB

Download
memory/2016-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/2016-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2016-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download