f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819

Analysis

max time kernel
151s
max time network
77s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe
Size

654KB
MD5

4883bedcbb02153e79a9e945dc5ffd20
SHA1

0e4b55efaeb65e3e1d93f4c38285e5638f5eea66
SHA256

f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819
SHA512

e21eb4428f29105548d9b0c911b1c0d835544261bf27b10dfa0da0a4d7743c744afe6c895c96965f56792ec345cab67e5ddaa1604721147ed1bcf2eb614f9151
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ceytlii.exe~DFA61.tmpmomunoi.exe

pid process

1692 ceytlii.exe
2024 ~DFA61.tmp
980 momunoi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

808 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.execeytlii.exe~DFA61.tmp

pid process

1352 f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe
1692 ceytlii.exe
2024 ~DFA61.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1692	ceytlii.exe
2024	~DFA61.tmp
980	momunoi.exe

pid	process
808	cmd.exe

pid	process
1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe
1692	ceytlii.exe
2024	~DFA61.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

momunoi.exe

pid	process
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe
980	momunoi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA61.tmp

description pid process

Token: SeDebugPrivilege 2024 ~DFA61.tmp

description	pid	process
Token: SeDebugPrivilege	2024	~DFA61.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.execeytlii.exe~DFA61.tmp

description	pid	process	target process
PID 1352 wrote to memory of 1692	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	ceytlii.exe
PID 1352 wrote to memory of 1692	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	ceytlii.exe
PID 1352 wrote to memory of 1692	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	ceytlii.exe
PID 1352 wrote to memory of 1692	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	ceytlii.exe
PID 1692 wrote to memory of 2024	1692	ceytlii.exe	~DFA61.tmp
PID 1692 wrote to memory of 2024	1692	ceytlii.exe	~DFA61.tmp
PID 1692 wrote to memory of 2024	1692	ceytlii.exe	~DFA61.tmp
PID 1692 wrote to memory of 2024	1692	ceytlii.exe	~DFA61.tmp
PID 1352 wrote to memory of 808	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	cmd.exe
PID 1352 wrote to memory of 808	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	cmd.exe
PID 1352 wrote to memory of 808	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	cmd.exe
PID 1352 wrote to memory of 808	1352	f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe	cmd.exe
PID 2024 wrote to memory of 980	2024	~DFA61.tmp	momunoi.exe
PID 2024 wrote to memory of 980	2024	~DFA61.tmp	momunoi.exe
PID 2024 wrote to memory of 980	2024	~DFA61.tmp	momunoi.exe
PID 2024 wrote to memory of 980	2024	~DFA61.tmp	momunoi.exe

C:\Users\Admin\AppData\Local\Temp\f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe
"C:\Users\Admin\AppData\Local\Temp\f4ab55313232fb2d4d6e759cf92debaad1ba28680a15a19b5e2c107c95231819.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\ceytlii.exe
C:\Users\Admin\AppData\Local\Temp\ceytlii.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\momunoi.exe
"C:\Users\Admin\AppData\Local\Temp\momunoi.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
5017bd143da85900b3b5eac689b13d3a

SHA1
3add8a1a176fffd0fd065dd52ab759dd367d1481

SHA256
fa826faf4e73b7a977f22b8334edf53d5134c42d9440b7658b3b8e28542ef7d4

SHA512
4222aa1832633373d5ebb2eaba08024b68b1513f2864f14da26b90ae7689e7ffddb42ca818b716892918afe23231beaa81e2b4104d36dc6f525bdeaf5920287f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceytlii.exe

Filesize
661KB

MD5
f35db53bd63fdf6ceea449c28b15b2dc

SHA1
8ddccbff1a7d95f12f53472b714cc8cddd96ca93

SHA256
59d4f762c9c0d7cabf32006ff63689a425d516481cb19134050dfc29de51abcd

SHA512
4752abd011916302de2169e380471265c1563282c48aea7afb7f895e2295a99d7a243d02a0b8ad43455b51be617696a3406d3a48341ddbf419573d3072505640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceytlii.exe

Filesize
661KB

MD5
f35db53bd63fdf6ceea449c28b15b2dc

SHA1
8ddccbff1a7d95f12f53472b714cc8cddd96ca93

SHA256
59d4f762c9c0d7cabf32006ff63689a425d516481cb19134050dfc29de51abcd

SHA512
4752abd011916302de2169e380471265c1563282c48aea7afb7f895e2295a99d7a243d02a0b8ad43455b51be617696a3406d3a48341ddbf419573d3072505640

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
7d94b2357ab3f15cedccd450a69ce878

SHA1
62dd7887bc66ea5891d0f42225edd8c32b12dbe2

SHA256
2d10faa02913d92c03028fd5c88cb41eab8b232debdd5cb672841760e3257cb1

SHA512
90e3ea0acfc2b97cb08751ee1f35a738ad79ae0fbb3c666b19ceb70d7e1c85dcbceac6e190a47532471444edd3e6c9c86fd6ab548c7766889c682f4a39f4269a

Download Submit
C:\Users\Admin\AppData\Local\Temp\momunoi.exe

Filesize
404KB

MD5
61bbb5f3a2d873012fc105d172e91b18

SHA1
aae8f59b24c0d6e8fd4ad696060d82e094e26fcb

SHA256
f10f6a6cdf0c52954a61438ebb73b41b6ab599971316cd85d983e77478809a45

SHA512
a01b5d1a93db578e50744c3824e8d124016ff7003f8f62004959a3ae20e9102822ca0df26b9e1e79af4c54c7ca0be569181bc78ea87527ce9f4a0a8dea319757

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp

Filesize
669KB

MD5
3a592ecc03578673256fd569d1eb895d

SHA1
123ae85cf28b1b75089d397881d96ab5862399c7

SHA256
e8d257da4b4d37adb76ffc81df628aa63a2279b6e88cb70a0ef1b0fabaf73b00

SHA512
5a4dc1f0ab34bac4a2f2de8a046080b67a1d3531b7b934625ed59b16bf48df01a0a2a9a278cce060932a16bce51380808d62e5b2cc9a799aa5808bcbdb64ba20

Download Submit
\Users\Admin\AppData\Local\Temp\ceytlii.exe

Filesize
661KB

MD5
f35db53bd63fdf6ceea449c28b15b2dc

SHA1
8ddccbff1a7d95f12f53472b714cc8cddd96ca93

SHA256
59d4f762c9c0d7cabf32006ff63689a425d516481cb19134050dfc29de51abcd

SHA512
4752abd011916302de2169e380471265c1563282c48aea7afb7f895e2295a99d7a243d02a0b8ad43455b51be617696a3406d3a48341ddbf419573d3072505640

Download Submit
\Users\Admin\AppData\Local\Temp\momunoi.exe

Filesize
404KB

MD5
61bbb5f3a2d873012fc105d172e91b18

SHA1
aae8f59b24c0d6e8fd4ad696060d82e094e26fcb

SHA256
f10f6a6cdf0c52954a61438ebb73b41b6ab599971316cd85d983e77478809a45

SHA512
a01b5d1a93db578e50744c3824e8d124016ff7003f8f62004959a3ae20e9102822ca0df26b9e1e79af4c54c7ca0be569181bc78ea87527ce9f4a0a8dea319757

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA61.tmp

Filesize
669KB

MD5
3a592ecc03578673256fd569d1eb895d

SHA1
123ae85cf28b1b75089d397881d96ab5862399c7

SHA256
e8d257da4b4d37adb76ffc81df628aa63a2279b6e88cb70a0ef1b0fabaf73b00

SHA512
5a4dc1f0ab34bac4a2f2de8a046080b67a1d3531b7b934625ed59b16bf48df01a0a2a9a278cce060932a16bce51380808d62e5b2cc9a799aa5808bcbdb64ba20

Download Submit
memory/808-69-0x0000000000000000-mapping.dmp

Download
memory/980-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/980-76-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1352-66-0x0000000001E80000-0x0000000001F5E000-memory.dmp

Filesize
888KB

Download
memory/1352-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1352-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1692-68-0x0000000002AE0000-0x0000000002BBE000-memory.dmp

Filesize
888KB

Download
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/2024-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2024-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2024-78-0x0000000003740000-0x000000000387E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-63-0x0000000000000000-mapping.dmp

Download