db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee

Analysis

max time kernel
151s
max time network
82s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe
Size

702KB
MD5

4345d9b5049c7cf2ea2d35564debeec0
SHA1

8e640ec8cd2274fdeab6b29285039ed4f283f9e7
SHA256

db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee
SHA512

7f50d4e53e672415db93200f9e203f31242baca7adb9680827e2550e0dbe5bb078a996f25f9ae8c1096861fced7039edca01c0f04b0e8c2023db35af9daa0fc8
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

xuqyzad.exe~DFA69.tmpsyzoiod.exe

pid process

1348 xuqyzad.exe
1992 ~DFA69.tmp
1352 syzoiod.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1736 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exexuqyzad.exe~DFA69.tmp

pid process

1852 db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe
1348 xuqyzad.exe
1992 ~DFA69.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1348	xuqyzad.exe
1992	~DFA69.tmp
1352	syzoiod.exe

pid	process
1736	cmd.exe

pid	process
1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe
1348	xuqyzad.exe
1992	~DFA69.tmp

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

syzoiod.exe

pid	process
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe
1352	syzoiod.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA69.tmp

description pid process

Token: SeDebugPrivilege 1992 ~DFA69.tmp

description	pid	process
Token: SeDebugPrivilege	1992	~DFA69.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exexuqyzad.exe~DFA69.tmp

description	pid	process	target process
PID 1852 wrote to memory of 1348	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	xuqyzad.exe
PID 1852 wrote to memory of 1348	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	xuqyzad.exe
PID 1852 wrote to memory of 1348	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	xuqyzad.exe
PID 1852 wrote to memory of 1348	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	xuqyzad.exe
PID 1348 wrote to memory of 1992	1348	xuqyzad.exe	~DFA69.tmp
PID 1348 wrote to memory of 1992	1348	xuqyzad.exe	~DFA69.tmp
PID 1348 wrote to memory of 1992	1348	xuqyzad.exe	~DFA69.tmp
PID 1348 wrote to memory of 1992	1348	xuqyzad.exe	~DFA69.tmp
PID 1852 wrote to memory of 1736	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	cmd.exe
PID 1852 wrote to memory of 1736	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	cmd.exe
PID 1852 wrote to memory of 1736	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	cmd.exe
PID 1852 wrote to memory of 1736	1852	db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe	cmd.exe
PID 1992 wrote to memory of 1352	1992	~DFA69.tmp	syzoiod.exe
PID 1992 wrote to memory of 1352	1992	~DFA69.tmp	syzoiod.exe
PID 1992 wrote to memory of 1352	1992	~DFA69.tmp	syzoiod.exe
PID 1992 wrote to memory of 1352	1992	~DFA69.tmp	syzoiod.exe

C:\Users\Admin\AppData\Local\Temp\db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe
"C:\Users\Admin\AppData\Local\Temp\db1f1cbd8825e5d8bc9a18826fbe128974ab8aadd4c24c7066e185f14456a0ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\xuqyzad.exe
C:\Users\Admin\AppData\Local\Temp\xuqyzad.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\syzoiod.exe
"C:\Users\Admin\AppData\Local\Temp\syzoiod.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
79075e397721cc0b81d00653bd1a35f2

SHA1
034ecd059bfa7b8a1240e142714b5609e3a85e8f

SHA256
8c4e9ad8e99791134a3632856fa098a1b09f3ea35776ee17150e96529e96d6ed

SHA512
a86ce90a5c51409e30d8c62f2ebd7ad0f5c1959a1b9a0e8328313e589b185e5540776d551c9d892c3a38dbc1b2ac361ce38c1fc1d255df677a9f664aa9feed62

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
316de58a9bf92fa6868c0c5b3a93d0f0

SHA1
5ad9054cc31222769995584bf2989a37736b7e27

SHA256
2d55929e53fa136ffd550e5da36dc5d44bce29b0133c18f53245a8a1705c7746

SHA512
53f4a48900630e8e2d98ea121369af446d186e997f1bbb0436b7982570885912b841053d28cc5a8e6edf0bc14c0a9fc65208d6efe04d5a9c042c120c84c8e61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\syzoiod.exe
Filesize
403KB

MD5
e431412465dc06fbc9f31903b9b131a5

SHA1
b91e16316628c990459ee4f7fb356383570041b9

SHA256
3192868a36ccf091a72bf6784a921d6b6a6c39ae13c0a630788b13ad1ed3f5dd

SHA512
9124b32d0c2544c171400a62b5d878a3767c8b5d402b689bafa4236c83ca94d803054a6198895caed8bb9a484d79fadef1b8fa756629065e777a4c09e1255a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuqyzad.exe
Filesize
706KB

MD5
5df91ad9d860e9c9307a477cf77c8641

SHA1
b3ba972184bd25eb021b437ec16109d0d8d90577

SHA256
4650aa5269fd3e7024f49da4361670e376fa9f17f56806e98f28305fb9cf9b4a

SHA512
0bf13d30a2c6b76220f18cfd2c18716b162ef91beef8382e9333186f9abe43fb2e0d61fd56ed93eff452d67776e49772698eef800c32590f9c75a041568a2863

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuqyzad.exe
Filesize
706KB

MD5
5df91ad9d860e9c9307a477cf77c8641

SHA1
b3ba972184bd25eb021b437ec16109d0d8d90577

SHA256
4650aa5269fd3e7024f49da4361670e376fa9f17f56806e98f28305fb9cf9b4a

SHA512
0bf13d30a2c6b76220f18cfd2c18716b162ef91beef8382e9333186f9abe43fb2e0d61fd56ed93eff452d67776e49772698eef800c32590f9c75a041568a2863

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA69.tmp
Filesize
712KB

MD5
927fc17bc21dc2c085d46f959d8c3c09

SHA1
05da4f05f8bb556ca1b296c74499f3a60e8a2dc0

SHA256
ba11005a1e7182e0f47a01d31efddf4fed29ced3181053433c711725ab4979de

SHA512
f72ac4b6bae114b089579cb3eb81586ee16c2cf69c202359634eef17a510dfdc54b18ca19fc86ae44b8a4dbab6b40969c959353b404521ecc5e5c3eb801f7584

Download Submit
\Users\Admin\AppData\Local\Temp\syzoiod.exe
Filesize
403KB

MD5
e431412465dc06fbc9f31903b9b131a5

SHA1
b91e16316628c990459ee4f7fb356383570041b9

SHA256
3192868a36ccf091a72bf6784a921d6b6a6c39ae13c0a630788b13ad1ed3f5dd

SHA512
9124b32d0c2544c171400a62b5d878a3767c8b5d402b689bafa4236c83ca94d803054a6198895caed8bb9a484d79fadef1b8fa756629065e777a4c09e1255a4e

Download Submit
\Users\Admin\AppData\Local\Temp\xuqyzad.exe
Filesize
706KB

MD5
5df91ad9d860e9c9307a477cf77c8641

SHA1
b3ba972184bd25eb021b437ec16109d0d8d90577

SHA256
4650aa5269fd3e7024f49da4361670e376fa9f17f56806e98f28305fb9cf9b4a

SHA512
0bf13d30a2c6b76220f18cfd2c18716b162ef91beef8382e9333186f9abe43fb2e0d61fd56ed93eff452d67776e49772698eef800c32590f9c75a041568a2863

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA69.tmp
Filesize
712KB

MD5
927fc17bc21dc2c085d46f959d8c3c09

SHA1
05da4f05f8bb556ca1b296c74499f3a60e8a2dc0

SHA256
ba11005a1e7182e0f47a01d31efddf4fed29ced3181053433c711725ab4979de

SHA512
f72ac4b6bae114b089579cb3eb81586ee16c2cf69c202359634eef17a510dfdc54b18ca19fc86ae44b8a4dbab6b40969c959353b404521ecc5e5c3eb801f7584

Download Submit
memory/1348-57-0x0000000000000000-mapping.dmp

Download
memory/1348-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1348-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1352-75-0x0000000000000000-mapping.dmp

Download
memory/1352-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download
memory/1852-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1852-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1852-61-0x0000000001E80000-0x0000000001F5E000-memory.dmp

Filesize
888KB

Download
memory/1852-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1992-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1992-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download
memory/1992-77-0x0000000003590000-0x00000000036CE000-memory.dmp

Filesize
1.2MB

Download