563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e

Analysis

max time kernel
152s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
Size

681KB
MD5

43f848f66c1e8da2e45a86f0372cdde0
SHA1

c8a6bf91e77dd6da6c9c95b8610dafd72c07da1e
SHA256

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e
SHA512

5587a0b15f7be60ceae6218e785c0e857f1cb8cb9b398818206fd6d9f9ec5f7438747a9177b905dd26c914792cdaeffaa0ca84e24b6502d62b963c47816fb9e1
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

lyvoefe.exe~DFA7C.tmpqyfyewe.exe

pid process

1040 lyvoefe.exe
1072 ~DFA7C.tmp
296 qyfyewe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1456 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exelyvoefe.exe~DFA7C.tmp

pid process

908 563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
1040 lyvoefe.exe
1072 ~DFA7C.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1040	lyvoefe.exe
1072	~DFA7C.tmp
296	qyfyewe.exe

pid	process
1456	cmd.exe

pid	process
908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
1040	lyvoefe.exe
1072	~DFA7C.tmp

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

qyfyewe.exe

pid	process
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe
296	qyfyewe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA7C.tmp

description pid process

Token: SeDebugPrivilege 1072 ~DFA7C.tmp

description	pid	process
Token: SeDebugPrivilege	1072	~DFA7C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exelyvoefe.exe~DFA7C.tmp

description	pid	process	target process
PID 908 wrote to memory of 1040	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	lyvoefe.exe
PID 908 wrote to memory of 1040	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	lyvoefe.exe
PID 908 wrote to memory of 1040	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	lyvoefe.exe
PID 908 wrote to memory of 1040	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	lyvoefe.exe
PID 908 wrote to memory of 1456	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 908 wrote to memory of 1456	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 908 wrote to memory of 1456	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 908 wrote to memory of 1456	908	563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe	cmd.exe
PID 1040 wrote to memory of 1072	1040	lyvoefe.exe	~DFA7C.tmp
PID 1040 wrote to memory of 1072	1040	lyvoefe.exe	~DFA7C.tmp
PID 1040 wrote to memory of 1072	1040	lyvoefe.exe	~DFA7C.tmp
PID 1040 wrote to memory of 1072	1040	lyvoefe.exe	~DFA7C.tmp
PID 1072 wrote to memory of 296	1072	~DFA7C.tmp	qyfyewe.exe
PID 1072 wrote to memory of 296	1072	~DFA7C.tmp	qyfyewe.exe
PID 1072 wrote to memory of 296	1072	~DFA7C.tmp	qyfyewe.exe
PID 1072 wrote to memory of 296	1072	~DFA7C.tmp	qyfyewe.exe

C:\Users\Admin\AppData\Local\Temp\563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe
"C:\Users\Admin\AppData\Local\Temp\563b26bc372d1c871924c160256213a33e7baa4036fc3f140924d2d140bd8e9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\lyvoefe.exe
C:\Users\Admin\AppData\Local\Temp\lyvoefe.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\qyfyewe.exe
"C:\Users\Admin\AppData\Local\Temp\qyfyewe.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
d59e6dfc409c78c91d4c2736078f11c2

SHA1
0839ca5c96e9d5efdbc26bba99d238ad274b2411

SHA256
d4c88884ffb3aea795e974c38c08f2db2b1df0e0346fcb036897ac42bcd62849

SHA512
05f069f7265fe21dc4f4fe54cbb7c5a62854c49e0bbe9069a13333dda55c42311512ac4d0780b1735a61f48ec629dffa938494a604a9d0f93f883c6e3b811e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
f0475a43d23f3b16268c831022a48d91

SHA1
aeaa83cdfcdb83cd130b02c3989316e7a1560694

SHA256
ae1aa10ed636967ec25aea2441bf71a10e06e5482d18c29ffcca03b736495a94

SHA512
2b576e01b6dd5e6ca7d47b3ecd327781adb4829cba5e8875b2f4e02769314620ec6e269c02ec24233ed6d7a1ef835cc33bdf532c8ed5609162d3db89d39731a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyvoefe.exe
Filesize
683KB

MD5
c237aa1b5c2ae65c9937076a5fc645ac

SHA1
f48caa6220684b1f2a05b2836de5d7ec530d463d

SHA256
b65c9d77e516f489bed31cd17c219d90d73dded086a41e41571d7f4b0ced13cc

SHA512
47435274525f2bb20262cc5b5855f6de45ae964d65302c27cd403633b835e1af156a26b11b822e76def13ca1c010d2648f0e6cf0b930de535bc199eac889ad57

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyvoefe.exe
Filesize
683KB

MD5
c237aa1b5c2ae65c9937076a5fc645ac

SHA1
f48caa6220684b1f2a05b2836de5d7ec530d463d

SHA256
b65c9d77e516f489bed31cd17c219d90d73dded086a41e41571d7f4b0ced13cc

SHA512
47435274525f2bb20262cc5b5855f6de45ae964d65302c27cd403633b835e1af156a26b11b822e76def13ca1c010d2648f0e6cf0b930de535bc199eac889ad57

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyfyewe.exe
Filesize
396KB

MD5
e353bf935eb0837297469e56a4f0502a

SHA1
7b6726ba4de66a847d3763a641ef8f9a50bbeba8

SHA256
fae1c9de2a364adf828dbb243c6ea68cbb60ae0a94c16fd439e58b2b70447d93

SHA512
c739793a15975f426cfdccb69d3e78a8bacdc50d1d0a74751db46c7c508cd7c436e4dd62e3b2e572c5688afd313810e78867c015c528ff421031b8ffeccd39a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
687KB

MD5
ab093a95c28a90fe8a4cf1eb186293aa

SHA1
c69bc19e556b9e04a87c064c3bd43959c360ca14

SHA256
c9498b301e29b805d38bf1bab19a39e1db5cdfbee431be1a129826ee4c525edc

SHA512
3e16b527c440072ed0cacf00878825250f969b8714c629e560c4f118ccf9f61ecb8ed5adc6fae893a389ffe0ab920a1f36b85383498cb11275fc44f400050b09

Download Submit
\Users\Admin\AppData\Local\Temp\lyvoefe.exe
Filesize
683KB

MD5
c237aa1b5c2ae65c9937076a5fc645ac

SHA1
f48caa6220684b1f2a05b2836de5d7ec530d463d

SHA256
b65c9d77e516f489bed31cd17c219d90d73dded086a41e41571d7f4b0ced13cc

SHA512
47435274525f2bb20262cc5b5855f6de45ae964d65302c27cd403633b835e1af156a26b11b822e76def13ca1c010d2648f0e6cf0b930de535bc199eac889ad57

Download Submit
\Users\Admin\AppData\Local\Temp\qyfyewe.exe
Filesize
396KB

MD5
e353bf935eb0837297469e56a4f0502a

SHA1
7b6726ba4de66a847d3763a641ef8f9a50bbeba8

SHA256
fae1c9de2a364adf828dbb243c6ea68cbb60ae0a94c16fd439e58b2b70447d93

SHA512
c739793a15975f426cfdccb69d3e78a8bacdc50d1d0a74751db46c7c508cd7c436e4dd62e3b2e572c5688afd313810e78867c015c528ff421031b8ffeccd39a4

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA7C.tmp
Filesize
687KB

MD5
ab093a95c28a90fe8a4cf1eb186293aa

SHA1
c69bc19e556b9e04a87c064c3bd43959c360ca14

SHA256
c9498b301e29b805d38bf1bab19a39e1db5cdfbee431be1a129826ee4c525edc

SHA512
3e16b527c440072ed0cacf00878825250f969b8714c629e560c4f118ccf9f61ecb8ed5adc6fae893a389ffe0ab920a1f36b85383498cb11275fc44f400050b09

Download Submit
memory/296-75-0x0000000000000000-mapping.dmp

Download
memory/296-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/908-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/908-63-0x0000000001F10000-0x0000000001FEE000-memory.dmp

Filesize
888KB

Download
memory/908-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/908-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1040-64-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1040-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1040-57-0x0000000000000000-mapping.dmp

Download
memory/1072-67-0x0000000000000000-mapping.dmp

Download
memory/1072-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1072-78-0x00000000035E0000-0x000000000371E000-memory.dmp

Filesize
1.2MB

Download
memory/1072-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1456-62-0x0000000000000000-mapping.dmp

Download