75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab

Analysis

max time kernel
164s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
Size

654KB
MD5

46627d964f330fc382a8266ed7720380
SHA1

0e298f50a7106f8b2152aecb316ead61033bed39
SHA256

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab
SHA512

778e6cff3dde31cfd50e39fb11b1020b259b25f5fb371531d98026f09953490be7f001e3334a77666499fa3027d4b486f892d470a58bfe3bc75b403755bedda2
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

kusajy.exe~DFA9F.tmphopoty.exe

pid process

1404 kusajy.exe
576 ~DFA9F.tmp
1320 hopoty.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1332 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exekusajy.exe~DFA9F.tmp

pid process

1816 75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
1404 kusajy.exe
576 ~DFA9F.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1404	kusajy.exe
576	~DFA9F.tmp
1320	hopoty.exe

pid	process
1332	cmd.exe

pid	process
1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
1404	kusajy.exe
576	~DFA9F.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

hopoty.exe

pid	process
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe
1320	hopoty.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA9F.tmp

description pid process

Token: SeDebugPrivilege 576 ~DFA9F.tmp

description	pid	process
Token: SeDebugPrivilege	576	~DFA9F.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exekusajy.exe~DFA9F.tmp

description	pid	process	target process
PID 1816 wrote to memory of 1404	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	kusajy.exe
PID 1816 wrote to memory of 1404	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	kusajy.exe
PID 1816 wrote to memory of 1404	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	kusajy.exe
PID 1816 wrote to memory of 1404	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	kusajy.exe
PID 1404 wrote to memory of 576	1404	kusajy.exe	~DFA9F.tmp
PID 1404 wrote to memory of 576	1404	kusajy.exe	~DFA9F.tmp
PID 1404 wrote to memory of 576	1404	kusajy.exe	~DFA9F.tmp
PID 1404 wrote to memory of 576	1404	kusajy.exe	~DFA9F.tmp
PID 1816 wrote to memory of 1332	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 1816 wrote to memory of 1332	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 1816 wrote to memory of 1332	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 1816 wrote to memory of 1332	1816	75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe	cmd.exe
PID 576 wrote to memory of 1320	576	~DFA9F.tmp	hopoty.exe
PID 576 wrote to memory of 1320	576	~DFA9F.tmp	hopoty.exe
PID 576 wrote to memory of 1320	576	~DFA9F.tmp	hopoty.exe
PID 576 wrote to memory of 1320	576	~DFA9F.tmp	hopoty.exe

C:\Users\Admin\AppData\Local\Temp\75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe
"C:\Users\Admin\AppData\Local\Temp\75aecf9c8ea62f5ffaa52d74f6d20e9249418823fc3b9707517d3e325ad23eab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\kusajy.exe
C:\Users\Admin\AppData\Local\Temp\kusajy.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\~DFA9F.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA9F.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\hopoty.exe
"C:\Users\Admin\AppData\Local\Temp\hopoty.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
5a227f15087a52036f5d875768c82061

SHA1
098df470f169161c931055c75009240859647794

SHA256
3a7761ed65350b6b4afa65e414f8d030468ad96192bd58109063d3ef8328848a

SHA512
5be9272c7cc97e185fb8f51f3db002f008c81531a0564907f3955bcd87da90f9cc3bb7602101c11435ee3aaa70c23f117881bf804cae78ae80616b74c8bccbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
61eee8db3adc5cb8fb5ca43f7a1bf29e

SHA1
7a1b5f49949a629f934982428af9bdaecc66f823

SHA256
28eae0c79c2e1ba64c2b5e2e824a89bc4bb470a6d27d798ec9a4c4f9bb119648

SHA512
93d46373e4b9f461e22b0ceba7587789fdbacdad19637e1e9958784685ec657593bde5cf9173bc47eddbada69b79206b8ce4bdcfb0b9bfcddb37b24ccbe5738e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hopoty.exe
Filesize
382KB

MD5
d806340f65a236d499d288395e1066e8

SHA1
6adb524559d300a0885cd06cdebb52e473bbe9cb

SHA256
7a82cb5de7f06d6157cd727d7e5a9c3abfa9fca68ff0f758ce3ce87f3fc391b2

SHA512
b0c7063e6ec7dc26243720283f4a2ccaca6995e6d146c9008cd87bb92414907a3768853f9a3c1658863ef54ab7cd7fcb82ac79b3b8a02afbc505dd1c9517c4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kusajy.exe
Filesize
663KB

MD5
0fe13542d30a738128c7a6f141a44575

SHA1
4b39e3c86ca7716e525339ab5fec7aa31f95bc04

SHA256
ae13facb167f3c05fffcea4a95ffc1577891f894abe9a992c82f0e2723597ff6

SHA512
71236388f16af5ed8cfe2d054fd960324da3789175f40186b753447b54abcf59f45716c779d86d614289fe0a8a06954d7391e8918121dbc500fae695be7b0cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kusajy.exe
Filesize
663KB

MD5
0fe13542d30a738128c7a6f141a44575

SHA1
4b39e3c86ca7716e525339ab5fec7aa31f95bc04

SHA256
ae13facb167f3c05fffcea4a95ffc1577891f894abe9a992c82f0e2723597ff6

SHA512
71236388f16af5ed8cfe2d054fd960324da3789175f40186b753447b54abcf59f45716c779d86d614289fe0a8a06954d7391e8918121dbc500fae695be7b0cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA9F.tmp
Filesize
673KB

MD5
cdf79fc7723f3b67225e4f811a10d7bf

SHA1
707e2673cd8c90118892f28999d78a5be628351c

SHA256
2e7dcd7a82f444a6bcdd01c5f70ec29a961ee30619dbb133a738da6e75ad31c6

SHA512
95e86af4868c0988333f43cc210ded8591fa8abd624f11f62640536d6aef23ef815083da514fa76a1f6b3bdb13cad86f9506034a066cd4191ef8b098cabbe7f0

Download Submit
\Users\Admin\AppData\Local\Temp\hopoty.exe
Filesize
382KB

MD5
d806340f65a236d499d288395e1066e8

SHA1
6adb524559d300a0885cd06cdebb52e473bbe9cb

SHA256
7a82cb5de7f06d6157cd727d7e5a9c3abfa9fca68ff0f758ce3ce87f3fc391b2

SHA512
b0c7063e6ec7dc26243720283f4a2ccaca6995e6d146c9008cd87bb92414907a3768853f9a3c1658863ef54ab7cd7fcb82ac79b3b8a02afbc505dd1c9517c4f5

Download Submit
\Users\Admin\AppData\Local\Temp\kusajy.exe
Filesize
663KB

MD5
0fe13542d30a738128c7a6f141a44575

SHA1
4b39e3c86ca7716e525339ab5fec7aa31f95bc04

SHA256
ae13facb167f3c05fffcea4a95ffc1577891f894abe9a992c82f0e2723597ff6

SHA512
71236388f16af5ed8cfe2d054fd960324da3789175f40186b753447b54abcf59f45716c779d86d614289fe0a8a06954d7391e8918121dbc500fae695be7b0cb0

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA9F.tmp
Filesize
673KB

MD5
cdf79fc7723f3b67225e4f811a10d7bf

SHA1
707e2673cd8c90118892f28999d78a5be628351c

SHA256
2e7dcd7a82f444a6bcdd01c5f70ec29a961ee30619dbb133a738da6e75ad31c6

SHA512
95e86af4868c0988333f43cc210ded8591fa8abd624f11f62640536d6aef23ef815083da514fa76a1f6b3bdb13cad86f9506034a066cd4191ef8b098cabbe7f0

Download Submit
memory/576-67-0x0000000000000000-mapping.dmp

Download
memory/576-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/576-80-0x0000000003870000-0x00000000039AE000-memory.dmp

Filesize
1.2MB

Download
memory/576-75-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1320-81-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1320-77-0x0000000000000000-mapping.dmp

Download
memory/1332-70-0x0000000000000000-mapping.dmp

Download
memory/1404-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1404-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1404-58-0x0000000000000000-mapping.dmp

Download
memory/1816-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1816-64-0x0000000001D20000-0x0000000001DFE000-memory.dmp

Filesize
888KB

Download
memory/1816-57-0x0000000001D20000-0x0000000001DFE000-memory.dmp

Filesize
888KB

Download
memory/1816-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1816-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1816-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download