e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248

Analysis

max time kernel
153s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
Size

620KB
MD5

448948245976e63b7b21994ed26fb170
SHA1

f220add2d29c1ebd25a31afb5f45cd8b232591e9
SHA256

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248
SHA512

9ab347f7b336b06d3bc5807291e292c89a28adf389eea3577a502445bd1e0fa4cface2921aba39bd414673ab8ed046c11058085931c0840c2d82171253523c5e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

lesefy.exe~DFA78.tmpcafyny.exe

pid process

1964 lesefy.exe
1956 ~DFA78.tmp
904 cafyny.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

828 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exelesefy.exe~DFA78.tmp

pid process

1608 e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
1964 lesefy.exe
1956 ~DFA78.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1964	lesefy.exe
1956	~DFA78.tmp
904	cafyny.exe

pid	process
828	cmd.exe

pid	process
1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
1964	lesefy.exe
1956	~DFA78.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

cafyny.exe

pid	process
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe
904	cafyny.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA78.tmp

description pid process

Token: SeDebugPrivilege 1956 ~DFA78.tmp

description	pid	process
Token: SeDebugPrivilege	1956	~DFA78.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exelesefy.exe~DFA78.tmp

description	pid	process	target process
PID 1608 wrote to memory of 1964	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	lesefy.exe
PID 1608 wrote to memory of 1964	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	lesefy.exe
PID 1608 wrote to memory of 1964	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	lesefy.exe
PID 1608 wrote to memory of 1964	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	lesefy.exe
PID 1964 wrote to memory of 1956	1964	lesefy.exe	~DFA78.tmp
PID 1964 wrote to memory of 1956	1964	lesefy.exe	~DFA78.tmp
PID 1964 wrote to memory of 1956	1964	lesefy.exe	~DFA78.tmp
PID 1964 wrote to memory of 1956	1964	lesefy.exe	~DFA78.tmp
PID 1608 wrote to memory of 828	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 1608 wrote to memory of 828	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 1608 wrote to memory of 828	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 1608 wrote to memory of 828	1608	e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe	cmd.exe
PID 1956 wrote to memory of 904	1956	~DFA78.tmp	cafyny.exe
PID 1956 wrote to memory of 904	1956	~DFA78.tmp	cafyny.exe
PID 1956 wrote to memory of 904	1956	~DFA78.tmp	cafyny.exe
PID 1956 wrote to memory of 904	1956	~DFA78.tmp	cafyny.exe

C:\Users\Admin\AppData\Local\Temp\e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe
"C:\Users\Admin\AppData\Local\Temp\e22630225a736abff39be497ca526e89c07d4806ece58f3b4d4d764fff5c8248.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\lesefy.exe
C:\Users\Admin\AppData\Local\Temp\lesefy.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\cafyny.exe
"C:\Users\Admin\AppData\Local\Temp\cafyny.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
c94c53f663bf6f18201916e1575c4bba

SHA1
18d56e52989c27893661cc3490d68dd0f64a256f

SHA256
3de27610130650cde28e0dc9dcdb06b9076a829630a7e1916765073d0d0339cb

SHA512
a363e31b9d421d696d70bf31000da98de05aaf1e641ac95f7cd2ea5bcbcaa1e61c80503e55ecce788b577c61de550b70e14a68c675d09f2c55c79ce56f1b4d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\cafyny.exe

Filesize
398KB

MD5
3fef2b5ca00a9ec586c8d4b27ec78bee

SHA1
91921750994853905835e5b980fa531a56cbaa3d

SHA256
73e13da3d8e654cadfaa9978ab96e03168e23047efca318082fb969263d242a6

SHA512
28afca027a5882a0246b8c6afebbc9e63bb2811677247a2841de291d707cac18692f5cfad6af1d4b527c26520fcfc2f409ff91b36bf6ccf0ed106b7cfb87e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e16a88ee710e40f4fe0480c9d9c354ac

SHA1
15b3205e268f18df29841e7ecfedb76845384206

SHA256
8dddede96354a48551735d8d06a100f2987a0c96cbc7fbac0d7af60c15124acb

SHA512
7be5d48839a32848cf6b04f42c78b2efafa96bb29e3f0752284d97d0b90d2f733615e07421b6f8a764c03b04388facaacde42c871614ff4bab47c6f10fdb3a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lesefy.exe

Filesize
628KB

MD5
e79aff0de0f753e4761a83cd99f6f649

SHA1
1ae6517046e0af8836643517026e81bd36914d5c

SHA256
5086f3230a2fc802c142ab0e5df0a8f6455de33d6500499f8e33f4374e1f7ad4

SHA512
3ba86c4b70f84ce06a3227e490859ce1b9bf14768cb872fa914ea72332fc310a9ebc996f37a13e2bc6695a56ff98d2b799a6a4b046b0f6b20fd111c284433c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\lesefy.exe

Filesize
628KB

MD5
e79aff0de0f753e4761a83cd99f6f649

SHA1
1ae6517046e0af8836643517026e81bd36914d5c

SHA256
5086f3230a2fc802c142ab0e5df0a8f6455de33d6500499f8e33f4374e1f7ad4

SHA512
3ba86c4b70f84ce06a3227e490859ce1b9bf14768cb872fa914ea72332fc310a9ebc996f37a13e2bc6695a56ff98d2b799a6a4b046b0f6b20fd111c284433c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp

Filesize
629KB

MD5
c8d07a0a6d8f25d8f6fe0357ebc48a5d

SHA1
f9f08c8b68c7531a24e4da41fe808cf28bf25a95

SHA256
f71fb305ac46114638d3bd258d5eac5a62c52431d1c254ef9c663de072cdad2d

SHA512
35f14186f7052fb00fae06e692018e88f13ee87366a62b2a7b1d64dee0ac1260ea1fdf320c51bc8cfa67a46616e5a2694c8ecec1df86786a9aa36f90e2087b09

Download Submit
\Users\Admin\AppData\Local\Temp\cafyny.exe

Filesize
398KB

MD5
3fef2b5ca00a9ec586c8d4b27ec78bee

SHA1
91921750994853905835e5b980fa531a56cbaa3d

SHA256
73e13da3d8e654cadfaa9978ab96e03168e23047efca318082fb969263d242a6

SHA512
28afca027a5882a0246b8c6afebbc9e63bb2811677247a2841de291d707cac18692f5cfad6af1d4b527c26520fcfc2f409ff91b36bf6ccf0ed106b7cfb87e4e9

Download Submit
\Users\Admin\AppData\Local\Temp\lesefy.exe

Filesize
628KB

MD5
e79aff0de0f753e4761a83cd99f6f649

SHA1
1ae6517046e0af8836643517026e81bd36914d5c

SHA256
5086f3230a2fc802c142ab0e5df0a8f6455de33d6500499f8e33f4374e1f7ad4

SHA512
3ba86c4b70f84ce06a3227e490859ce1b9bf14768cb872fa914ea72332fc310a9ebc996f37a13e2bc6695a56ff98d2b799a6a4b046b0f6b20fd111c284433c52

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA78.tmp

Filesize
629KB

MD5
c8d07a0a6d8f25d8f6fe0357ebc48a5d

SHA1
f9f08c8b68c7531a24e4da41fe808cf28bf25a95

SHA256
f71fb305ac46114638d3bd258d5eac5a62c52431d1c254ef9c663de072cdad2d

SHA512
35f14186f7052fb00fae06e692018e88f13ee87366a62b2a7b1d64dee0ac1260ea1fdf320c51bc8cfa67a46616e5a2694c8ecec1df86786a9aa36f90e2087b09

Download Submit
memory/828-68-0x0000000000000000-mapping.dmp

Download
memory/904-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/904-75-0x0000000000000000-mapping.dmp

Download
memory/1608-61-0x0000000001E40000-0x0000000001F1E000-memory.dmp

Filesize
888KB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1608-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1956-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1956-65-0x0000000000000000-mapping.dmp

Download
memory/1956-77-0x0000000003630000-0x000000000376E000-memory.dmp

Filesize
1.2MB

Download
memory/1956-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1964-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/1964-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download