727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40

Analysis

max time kernel
151s
max time network
77s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
Size

686KB
MD5

535138c6ab8c3fa53a1b8ffe62a23930
SHA1

92692d33f4cbb39f6bebb4f6c9f592ca3059d772
SHA256

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40
SHA512

0d118a404f06ba2f065ea03f36802774f14331fc9bf0a8b8fbd17b1b343fe4374721cfe43e562aa4867345704ec4fda85517e098bacaf605378718e73fa7d467
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

voetfog.exe~DFA59.tmpnuezwid.exe

pid process

832 voetfog.exe
1152 ~DFA59.tmp
632 nuezwid.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1300 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exevoetfog.exe~DFA59.tmp

pid process

1808 727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
832 voetfog.exe
1152 ~DFA59.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
832	voetfog.exe
1152	~DFA59.tmp
632	nuezwid.exe

pid	process
1300	cmd.exe

pid	process
1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
832	voetfog.exe
1152	~DFA59.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

nuezwid.exe

pid	process
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe
632	nuezwid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA59.tmp

description pid process

Token: SeDebugPrivilege 1152 ~DFA59.tmp

description	pid	process
Token: SeDebugPrivilege	1152	~DFA59.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exevoetfog.exe~DFA59.tmp

description	pid	process	target process
PID 1808 wrote to memory of 832	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	voetfog.exe
PID 1808 wrote to memory of 832	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	voetfog.exe
PID 1808 wrote to memory of 832	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	voetfog.exe
PID 1808 wrote to memory of 832	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	voetfog.exe
PID 1808 wrote to memory of 1300	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 1808 wrote to memory of 1300	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 1808 wrote to memory of 1300	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 1808 wrote to memory of 1300	1808	727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe	cmd.exe
PID 832 wrote to memory of 1152	832	voetfog.exe	~DFA59.tmp
PID 832 wrote to memory of 1152	832	voetfog.exe	~DFA59.tmp
PID 832 wrote to memory of 1152	832	voetfog.exe	~DFA59.tmp
PID 832 wrote to memory of 1152	832	voetfog.exe	~DFA59.tmp
PID 1152 wrote to memory of 632	1152	~DFA59.tmp	nuezwid.exe
PID 1152 wrote to memory of 632	1152	~DFA59.tmp	nuezwid.exe
PID 1152 wrote to memory of 632	1152	~DFA59.tmp	nuezwid.exe
PID 1152 wrote to memory of 632	1152	~DFA59.tmp	nuezwid.exe

C:\Users\Admin\AppData\Local\Temp\727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe
"C:\Users\Admin\AppData\Local\Temp\727ad25e6fd7e96b16c60dc9f4308599fc45ed433ad4c6e38c78c4c6b4bf3f40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\voetfog.exe
C:\Users\Admin\AppData\Local\Temp\voetfog.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\~DFA59.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA59.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\nuezwid.exe
"C:\Users\Admin\AppData\Local\Temp\nuezwid.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
37a516c7deef1ce9b4089b5b519b0846

SHA1
162a596f7226d1bd822eda844fc693a15d798fe6

SHA256
7ee18c6b7119fb0f08e62ab03a11c44989a970854a100c057061e03b43670aa3

SHA512
4bda090a1c65d1f0c0bbf4038b804bbe3d55744a6b25cbbac38050e03942973732117a5beffccad0d5fb5ed9dd7c094ec3c9c4d3ffc6841f19590df102a97c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
666d009a5be30702170f6379df598a7f

SHA1
1a264b6dab71f1b2b946c939b3e12573c77aebcb

SHA256
8963b6959f93d566222b0c38357a9e0cfc4c439d8fd7142d51792061f421204e

SHA512
2dc1249795221e11d2dabbe2498568d0e0cc261fdf4b0a4d38062b739164ddaee62d8ea5cdf28105400f98884ff3fc2102be0d121e8e7f0fbb7b3a1136ab530a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuezwid.exe
Filesize
377KB

MD5
0f7921bcecfd63d9d2d73392890c9238

SHA1
a381fd5d06563b32ab726910ff3442930aef61a7

SHA256
60c5a64ead35e199f47fdd1e94af4abf33fa664045e7d6565525a3d8ec39b31d

SHA512
345406782cccaaf97d222745b666fb145d77a92c35e400f3290acdfe0f00a61257f920df102fd29cb6aec018d862c13187b62439baa6fbdfd3e7b2af47e757c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\voetfog.exe
Filesize
695KB

MD5
a8b6eb1f313a3cc407cd1b14335d46c4

SHA1
9074d93176640bd007cdeef96aa308f72de401cc

SHA256
5357bbbc297dc92215ed42c6ab20aa25794edeb8d3aa1ce96e34523d1f1171ea

SHA512
200475ccd153e484605de7878ef954824ce11ff622ba8f3b0c907e279eb85d72ad880b75637d81b9381ec21e31759040bbb277a272d42960ee4fd93ff180f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\voetfog.exe
Filesize
695KB

MD5
a8b6eb1f313a3cc407cd1b14335d46c4

SHA1
9074d93176640bd007cdeef96aa308f72de401cc

SHA256
5357bbbc297dc92215ed42c6ab20aa25794edeb8d3aa1ce96e34523d1f1171ea

SHA512
200475ccd153e484605de7878ef954824ce11ff622ba8f3b0c907e279eb85d72ad880b75637d81b9381ec21e31759040bbb277a272d42960ee4fd93ff180f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA59.tmp
Filesize
704KB

MD5
b1d2e9ddb6772e3b64dfb1ea917e7d76

SHA1
401b0a18ae095defefcfa515495374d47ac12514

SHA256
97fcdfa9a7134b25c1bde611fd4e8776b5aceb4c705a63db06803b7dc828e119

SHA512
c313497af84af9f82a077672381b5c60fd22d1c3da4ec8ef945252a26d8b449a8b0328e152d28428b6314f0e33d2e4b59c0336e3d7bdf114a075183b509e5925

Download Submit
\Users\Admin\AppData\Local\Temp\nuezwid.exe
Filesize
377KB

MD5
0f7921bcecfd63d9d2d73392890c9238

SHA1
a381fd5d06563b32ab726910ff3442930aef61a7

SHA256
60c5a64ead35e199f47fdd1e94af4abf33fa664045e7d6565525a3d8ec39b31d

SHA512
345406782cccaaf97d222745b666fb145d77a92c35e400f3290acdfe0f00a61257f920df102fd29cb6aec018d862c13187b62439baa6fbdfd3e7b2af47e757c8

Download Submit
\Users\Admin\AppData\Local\Temp\voetfog.exe
Filesize
695KB

MD5
a8b6eb1f313a3cc407cd1b14335d46c4

SHA1
9074d93176640bd007cdeef96aa308f72de401cc

SHA256
5357bbbc297dc92215ed42c6ab20aa25794edeb8d3aa1ce96e34523d1f1171ea

SHA512
200475ccd153e484605de7878ef954824ce11ff622ba8f3b0c907e279eb85d72ad880b75637d81b9381ec21e31759040bbb277a272d42960ee4fd93ff180f309

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA59.tmp
Filesize
704KB

MD5
b1d2e9ddb6772e3b64dfb1ea917e7d76

SHA1
401b0a18ae095defefcfa515495374d47ac12514

SHA256
97fcdfa9a7134b25c1bde611fd4e8776b5aceb4c705a63db06803b7dc828e119

SHA512
c313497af84af9f82a077672381b5c60fd22d1c3da4ec8ef945252a26d8b449a8b0328e152d28428b6314f0e33d2e4b59c0336e3d7bdf114a075183b509e5925

Download Submit
memory/632-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/632-76-0x0000000000000000-mapping.dmp

Download
memory/832-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/832-70-0x0000000002D50000-0x0000000002E2E000-memory.dmp

Filesize
888KB

Download
memory/832-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/832-57-0x0000000000000000-mapping.dmp

Download
memory/1152-65-0x0000000000000000-mapping.dmp

Download
memory/1152-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1152-78-0x0000000003590000-0x00000000036CE000-memory.dmp

Filesize
1.2MB

Download
memory/1152-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1300-60-0x0000000000000000-mapping.dmp

Download
memory/1808-66-0x0000000001E50000-0x0000000001F2E000-memory.dmp

Filesize
888KB

Download
memory/1808-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1808-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download