511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63

Analysis

max time kernel
167s
max time network
92s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
Size

654KB
MD5

5cafcabc8d5c1d896f6cce30a37d09d0
SHA1

4622348bc5afd2c6a698fcce93ec12724d1e90f8
SHA256

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63
SHA512

f722acc012b6c73a616a1c8bbcb38cfa6f4d4adbf3d482ad7d5dfa7b58754f06a6ead88bd0413c4694a63f71135afa1de98da0afabfa0d91b42000c6642dd04e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

romyenw.exe~DFA61.tmpuzyqotw.exe

pid process

1432 romyenw.exe
2020 ~DFA61.tmp
1956 uzyqotw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exeromyenw.exe~DFA61.tmp

pid process

864 511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
1432 romyenw.exe
2020 ~DFA61.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1432	romyenw.exe
2020	~DFA61.tmp
1956	uzyqotw.exe

pid	process
2044	cmd.exe

pid	process
864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
1432	romyenw.exe
2020	~DFA61.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

uzyqotw.exe

pid	process
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe
1956	uzyqotw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA61.tmp

description pid process

Token: SeDebugPrivilege 2020 ~DFA61.tmp

description	pid	process
Token: SeDebugPrivilege	2020	~DFA61.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exeromyenw.exe~DFA61.tmp

description	pid	process	target process
PID 864 wrote to memory of 1432	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	romyenw.exe
PID 864 wrote to memory of 1432	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	romyenw.exe
PID 864 wrote to memory of 1432	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	romyenw.exe
PID 864 wrote to memory of 1432	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	romyenw.exe
PID 1432 wrote to memory of 2020	1432	romyenw.exe	~DFA61.tmp
PID 1432 wrote to memory of 2020	1432	romyenw.exe	~DFA61.tmp
PID 1432 wrote to memory of 2020	1432	romyenw.exe	~DFA61.tmp
PID 1432 wrote to memory of 2020	1432	romyenw.exe	~DFA61.tmp
PID 864 wrote to memory of 2044	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 864 wrote to memory of 2044	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 864 wrote to memory of 2044	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 864 wrote to memory of 2044	864	511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe	cmd.exe
PID 2020 wrote to memory of 1956	2020	~DFA61.tmp	uzyqotw.exe
PID 2020 wrote to memory of 1956	2020	~DFA61.tmp	uzyqotw.exe
PID 2020 wrote to memory of 1956	2020	~DFA61.tmp	uzyqotw.exe
PID 2020 wrote to memory of 1956	2020	~DFA61.tmp	uzyqotw.exe

C:\Users\Admin\AppData\Local\Temp\511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe
"C:\Users\Admin\AppData\Local\Temp\511c6fe9fb8542d9d1e0d6b58f8f8df230f56373e7edb5e02cd651698b0b2b63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\romyenw.exe
C:\Users\Admin\AppData\Local\Temp\romyenw.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\uzyqotw.exe
"C:\Users\Admin\AppData\Local\Temp\uzyqotw.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
Filesize
341B

MD5
e86091326727f7ccc4c6c502f75a9328

SHA1
a68bd77df15c5cdc46d1428a0c3a82376ca55d84

SHA256
e78d0cb12706d2bf82b1062a8a9af9d5dceef9a4ce99da54a8cf4f3ccd4529bf

SHA512
6beb52e669aa40c8b07d9f60c9a397684a1cf87ebb20590ff3ab8428f22259e24987e75a48c11c5b8d7ed9e1596c636bfea316f828721e4a58cd99fb177ea2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
480B

MD5
08333fb844ee1d6722a4678473e820dc

SHA1
bd808198b5e0970674f97eca9afab985716c5b99

SHA256
cdc90bf53d032754f51a1af4e378d7d2e719ddc3ab43427ebc33519efb8d4a18

SHA512
b4b20da293248d249218b1a3efb2b200aa89c42e4833732686ef8e3fb4169c03e9701ccaed0aec28080b6849a2767b0185485f6ee146e2b8b5b05c264e991340

Download Submit
C:\Users\Admin\AppData\Local\Temp\romyenw.exe
Filesize
661KB

MD5
5eab53a6052b1d622719a642856a450b

SHA1
54910dfc0604f49031814edecc50b761d821f839

SHA256
ccba1fd29bf902e8c273b724e32577061cd6567e51198a7c0e24f4ff7ef5a1a8

SHA512
8ea1cbedc311e1e28d64535fe628d6cd4aba6fb1b1a0a1cb27de5d90c55e90843a692b56776a22d7ce79ddaebe72a55a515dcf11c7209aacc83efdfae7ab072d

Download Submit
C:\Users\Admin\AppData\Local\Temp\romyenw.exe
Filesize
661KB

MD5
5eab53a6052b1d622719a642856a450b

SHA1
54910dfc0604f49031814edecc50b761d821f839

SHA256
ccba1fd29bf902e8c273b724e32577061cd6567e51198a7c0e24f4ff7ef5a1a8

SHA512
8ea1cbedc311e1e28d64535fe628d6cd4aba6fb1b1a0a1cb27de5d90c55e90843a692b56776a22d7ce79ddaebe72a55a515dcf11c7209aacc83efdfae7ab072d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzyqotw.exe
Filesize
414KB

MD5
a34eda965f43aca760b3ca596d6a872d

SHA1
3a9c06cb1fcf2626ed27966d5d67346a53cb2417

SHA256
24ff24d2044ac8c01e33d20d1717ba76828ebfeb29936061162c0322908f1825

SHA512
aee785d5649b3b2f2065c404e2a73be58637b25e284088f0883514a5f7fb1737de6d7110eb25961bc6ae439053a06b4e372b9430d8634485121314da7b67b23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA61.tmp
Filesize
669KB

MD5
4464dfda4cd6896bc2aab577787a626d

SHA1
6a2be1148051ca74b141ccc49cb9ed7861d29c66

SHA256
0e10a2c423e6aff990d174a7c565264172d26f650aca5228f2a2f8e6ccb9df75

SHA512
dde4c77804dabfbf0ef933e0d296c60a5d1399a681963a6f7951bb381a4a5dd780b9751d05154e4c691a8746360dcc655bb7c75d5e6321f82ab110b257528421

Download Submit
\Users\Admin\AppData\Local\Temp\romyenw.exe
Filesize
661KB

MD5
5eab53a6052b1d622719a642856a450b

SHA1
54910dfc0604f49031814edecc50b761d821f839

SHA256
ccba1fd29bf902e8c273b724e32577061cd6567e51198a7c0e24f4ff7ef5a1a8

SHA512
8ea1cbedc311e1e28d64535fe628d6cd4aba6fb1b1a0a1cb27de5d90c55e90843a692b56776a22d7ce79ddaebe72a55a515dcf11c7209aacc83efdfae7ab072d

Download Submit
\Users\Admin\AppData\Local\Temp\uzyqotw.exe
Filesize
414KB

MD5
a34eda965f43aca760b3ca596d6a872d

SHA1
3a9c06cb1fcf2626ed27966d5d67346a53cb2417

SHA256
24ff24d2044ac8c01e33d20d1717ba76828ebfeb29936061162c0322908f1825

SHA512
aee785d5649b3b2f2065c404e2a73be58637b25e284088f0883514a5f7fb1737de6d7110eb25961bc6ae439053a06b4e372b9430d8634485121314da7b67b23c

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA61.tmp
Filesize
669KB

MD5
4464dfda4cd6896bc2aab577787a626d

SHA1
6a2be1148051ca74b141ccc49cb9ed7861d29c66

SHA256
0e10a2c423e6aff990d174a7c565264172d26f650aca5228f2a2f8e6ccb9df75

SHA512
dde4c77804dabfbf0ef933e0d296c60a5d1399a681963a6f7951bb381a4a5dd780b9751d05154e4c691a8746360dcc655bb7c75d5e6321f82ab110b257528421

Download Submit
memory/864-60-0x00000000004E0000-0x00000000005BE000-memory.dmp

Filesize
888KB

Download
memory/864-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/864-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1432-57-0x0000000000000000-mapping.dmp

Download
memory/1432-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1432-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1956-75-0x0000000000000000-mapping.dmp

Download
memory/1956-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2020-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2020-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2020-65-0x0000000000000000-mapping.dmp

Download
memory/2020-78-0x0000000003640000-0x000000000377E000-memory.dmp

Filesize
1.2MB

Download
memory/2044-67-0x0000000000000000-mapping.dmp

Download