e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5

Analysis

max time kernel
154s
max time network
79s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
Size

639KB
MD5

45cd3172c82ced49112cd853152b4ae0
SHA1

51cb0b265807a344ef501595f2c62cc1629a1636
SHA256

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5
SHA512

bc836ad281bce8be1f552bdefe9ad43e6d8705ea5b334b562480298cdbf09dba1fc19e3b6043e79151576b3e44bbc40fd908b9142f0f8ae8ca62ae7e693b8618
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

jelepug.exe~DFA5C.tmpqeodjug.exe

pid process

1148 jelepug.exe
1916 ~DFA5C.tmp
1656 qeodjug.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exejelepug.exe~DFA5C.tmp

pid process

1524 e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
1148 jelepug.exe
1916 ~DFA5C.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1148	jelepug.exe
1916	~DFA5C.tmp
1656	qeodjug.exe

pid	process
672	cmd.exe

pid	process
1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
1148	jelepug.exe
1916	~DFA5C.tmp

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

qeodjug.exe

pid	process
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe
1656	qeodjug.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA5C.tmp

description pid process

Token: SeDebugPrivilege 1916 ~DFA5C.tmp

description	pid	process
Token: SeDebugPrivilege	1916	~DFA5C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exejelepug.exe~DFA5C.tmp

description	pid	process	target process
PID 1524 wrote to memory of 1148	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	jelepug.exe
PID 1524 wrote to memory of 1148	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	jelepug.exe
PID 1524 wrote to memory of 1148	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	jelepug.exe
PID 1524 wrote to memory of 1148	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	jelepug.exe
PID 1524 wrote to memory of 672	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1524 wrote to memory of 672	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1524 wrote to memory of 672	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1524 wrote to memory of 672	1524	e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe	cmd.exe
PID 1148 wrote to memory of 1916	1148	jelepug.exe	~DFA5C.tmp
PID 1148 wrote to memory of 1916	1148	jelepug.exe	~DFA5C.tmp
PID 1148 wrote to memory of 1916	1148	jelepug.exe	~DFA5C.tmp
PID 1148 wrote to memory of 1916	1148	jelepug.exe	~DFA5C.tmp
PID 1916 wrote to memory of 1656	1916	~DFA5C.tmp	qeodjug.exe
PID 1916 wrote to memory of 1656	1916	~DFA5C.tmp	qeodjug.exe
PID 1916 wrote to memory of 1656	1916	~DFA5C.tmp	qeodjug.exe
PID 1916 wrote to memory of 1656	1916	~DFA5C.tmp	qeodjug.exe

C:\Users\Admin\AppData\Local\Temp\e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe
"C:\Users\Admin\AppData\Local\Temp\e4acfe20761c7014a2252b128d6841ecbfecfe7c7351d1ffd6c13d105fe4c7c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\jelepug.exe
C:\Users\Admin\AppData\Local\Temp\jelepug.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\qeodjug.exe
"C:\Users\Admin\AppData\Local\Temp\qeodjug.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
cb37a9d114c4c4c3cdf8c4c6d11a2ab6

SHA1
45f15034714988265276fd121c0c8c79af328815

SHA256
c2e6c8584eff688333839436c637118b91e54f098f6c30c95082e41dcdeb260f

SHA512
b9fa29b955afa8d95854bb526fbe3c5decccd3420461dfeb3931adc0a888e50a3331647e35818e10bc60e3eff37ae11b642174c4b1892b11d02e36e4e2f939cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
49f595c2ba77d72e5cbd0284f6140fa4

SHA1
8ee8d7c1e15ec3f143c3cc09121d5bbb173b48f6

SHA256
5e2c224ab7aa802e497feeed542a68e8a25a3ac88630febf96669f36fb2f1e52

SHA512
d9127993aaa842692ccf9279c9b91776dd45a56fe02ba9497219ae30b486485b35100cec694881e40fba0f377b4e7583b82d1865c7e6a9af4b7cdd5f137b85c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jelepug.exe

Filesize
641KB

MD5
a575f6e2430178938596e2ee196cc271

SHA1
7cb4e4f25f4ce6525029d91902dd28a79256db4f

SHA256
f531ce0b4fd08e706ed1ebd4e37b0f7d75ded9facb636dce3fc703e5faf00587

SHA512
a986d2616529918e70658fcf605c221d1212d0d58cad739f9033a354d0df538d46d7ff226bc860a4e3c12e029f6d259026715ff2e41d7bdf3cd8efe0ef22294c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jelepug.exe

Filesize
641KB

MD5
a575f6e2430178938596e2ee196cc271

SHA1
7cb4e4f25f4ce6525029d91902dd28a79256db4f

SHA256
f531ce0b4fd08e706ed1ebd4e37b0f7d75ded9facb636dce3fc703e5faf00587

SHA512
a986d2616529918e70658fcf605c221d1212d0d58cad739f9033a354d0df538d46d7ff226bc860a4e3c12e029f6d259026715ff2e41d7bdf3cd8efe0ef22294c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeodjug.exe

Filesize
383KB

MD5
dc44ff1d98158054fe863bc4c84ae66b

SHA1
c206a82e32ddbaed77ec0c5791756bea426c7118

SHA256
375db0d8eb44afb94d6e7f4deb3e7a349ee84747d35786c53c1f112548715dd4

SHA512
f6146c458050f7b8e8b6a33135dd80329ceb3103db2aee7079f7be934a2f45c7beabc34f014c979e58938a091746a48720665cfa2b9e6ee4e2110d10b4b00282

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
644KB

MD5
3dc350f93479053315fb104cae00c46f

SHA1
1b0e0edb1dd3ad02d5e6ff1c346e0cfa0344b528

SHA256
569430b9a4da805499b469fca7d3dd35e2ebaf835ba7abe1907165a7cccd4dd1

SHA512
82149b48c4e0d3bf27a8a72fb87b9da67472a8e5d2c43428f287eb08d531c6d238959d5b213530ee81df60b179688f27681a0b7178391ba511649876b67200b6

Download Submit
\Users\Admin\AppData\Local\Temp\jelepug.exe

Filesize
641KB

MD5
a575f6e2430178938596e2ee196cc271

SHA1
7cb4e4f25f4ce6525029d91902dd28a79256db4f

SHA256
f531ce0b4fd08e706ed1ebd4e37b0f7d75ded9facb636dce3fc703e5faf00587

SHA512
a986d2616529918e70658fcf605c221d1212d0d58cad739f9033a354d0df538d46d7ff226bc860a4e3c12e029f6d259026715ff2e41d7bdf3cd8efe0ef22294c

Download Submit
\Users\Admin\AppData\Local\Temp\qeodjug.exe

Filesize
383KB

MD5
dc44ff1d98158054fe863bc4c84ae66b

SHA1
c206a82e32ddbaed77ec0c5791756bea426c7118

SHA256
375db0d8eb44afb94d6e7f4deb3e7a349ee84747d35786c53c1f112548715dd4

SHA512
f6146c458050f7b8e8b6a33135dd80329ceb3103db2aee7079f7be934a2f45c7beabc34f014c979e58938a091746a48720665cfa2b9e6ee4e2110d10b4b00282

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
644KB

MD5
3dc350f93479053315fb104cae00c46f

SHA1
1b0e0edb1dd3ad02d5e6ff1c346e0cfa0344b528

SHA256
569430b9a4da805499b469fca7d3dd35e2ebaf835ba7abe1907165a7cccd4dd1

SHA512
82149b48c4e0d3bf27a8a72fb87b9da67472a8e5d2c43428f287eb08d531c6d238959d5b213530ee81df60b179688f27681a0b7178391ba511649876b67200b6

Download Submit
memory/672-60-0x0000000000000000-mapping.dmp

Download
memory/1148-57-0x0000000000000000-mapping.dmp

Download
memory/1148-70-0x0000000002C20000-0x0000000002CFE000-memory.dmp

Filesize
888KB

Download
memory/1148-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1148-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1524-63-0x0000000001F10000-0x0000000001FEE000-memory.dmp

Filesize
888KB

Download
memory/1524-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1524-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1524-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1656-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1656-76-0x0000000000000000-mapping.dmp

Download
memory/1916-67-0x0000000000000000-mapping.dmp

Download
memory/1916-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1916-79-0x0000000003940000-0x0000000003A7E000-memory.dmp

Filesize
1.2MB

Download
memory/1916-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download