44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715

Analysis

max time kernel
151s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe
Size

617KB
MD5

527556803a71d286959a37560aaef3e0
SHA1

379e8b4c4eb5c77117d9fee4562b59e91643a999
SHA256

44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715
SHA512

697712e6aeffcd77deabea161f6741d2d96d37b8a3aead4cc64b1d22ee2010a45654d3376158eb2654c802519abb627c1de90d3acd06ef07382a8b061b764825
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

edkekl.exe~DFA5A.tmpojmoyl.exe

pid process

1696 edkekl.exe
1440 ~DFA5A.tmp
904 ojmoyl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1344 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exeedkekl.exe~DFA5A.tmp

pid process

1988 44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe
1696 edkekl.exe
1440 ~DFA5A.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1696	edkekl.exe
1440	~DFA5A.tmp
904	ojmoyl.exe

pid	process
1344	cmd.exe

pid	process
1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe
1696	edkekl.exe
1440	~DFA5A.tmp

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ojmoyl.exe

pid	process
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe
904	ojmoyl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA5A.tmp

description pid process

Token: SeDebugPrivilege 1440 ~DFA5A.tmp

description	pid	process
Token: SeDebugPrivilege	1440	~DFA5A.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exeedkekl.exe~DFA5A.tmp

description	pid	process	target process
PID 1988 wrote to memory of 1696	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	edkekl.exe
PID 1988 wrote to memory of 1696	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	edkekl.exe
PID 1988 wrote to memory of 1696	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	edkekl.exe
PID 1988 wrote to memory of 1696	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	edkekl.exe
PID 1696 wrote to memory of 1440	1696	edkekl.exe	~DFA5A.tmp
PID 1696 wrote to memory of 1440	1696	edkekl.exe	~DFA5A.tmp
PID 1696 wrote to memory of 1440	1696	edkekl.exe	~DFA5A.tmp
PID 1696 wrote to memory of 1440	1696	edkekl.exe	~DFA5A.tmp
PID 1988 wrote to memory of 1344	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	cmd.exe
PID 1988 wrote to memory of 1344	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	cmd.exe
PID 1988 wrote to memory of 1344	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	cmd.exe
PID 1988 wrote to memory of 1344	1988	44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe	cmd.exe
PID 1440 wrote to memory of 904	1440	~DFA5A.tmp	ojmoyl.exe
PID 1440 wrote to memory of 904	1440	~DFA5A.tmp	ojmoyl.exe
PID 1440 wrote to memory of 904	1440	~DFA5A.tmp	ojmoyl.exe
PID 1440 wrote to memory of 904	1440	~DFA5A.tmp	ojmoyl.exe

C:\Users\Admin\AppData\Local\Temp\44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe
"C:\Users\Admin\AppData\Local\Temp\44b9b42d6649bdc17ffb05a3e16a7d835e46e410e64a63a50f6a39d9ffe84715.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\edkekl.exe
  C:\Users\Admin\AppData\Local\Temp\edkekl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\~DFA5A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5A.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\ojmoyl.exe
      "C:\Users\Admin\AppData\Local\Temp\ojmoyl.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
58381db800d1f8a2a2a41ef7ca6149eb

SHA1
72c504334d4226eb9cc2856eb52bc1ce9e1bd37a

SHA256
92cc5380e1ef6b2f2112d3d8540ad4a65d484442606932cd2846f8215c738473

SHA512
535174c49c31a5b9f8bfe87dab5811c33177fd5d257eb8821306b2d81dd14b28eb007e843fd8a48bc1181f55bb274ac496bde4fbe85cdd9b63084de3e31266da

Download Submit
C:\Users\Admin\AppData\Local\Temp\edkekl.exe

Filesize
626KB

MD5
17f982d9bb6790ebcf4710272998f1d0

SHA1
5770afecb5e4cd0b8061ae276ec64fc34d1f384f

SHA256
a1b43c40669da62dfcebf3128f1dcc0e18fb665fe283fc1dca50046d6d303c79

SHA512
5bc285a59924c9c46b7d8a772f69a498cac981497450844ab2a598acba7e29c6c88e16c3b50b1b9855bb2d62c328da5aae29bd88e47010b371bbee1d728b6d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\edkekl.exe

Filesize
626KB

MD5
17f982d9bb6790ebcf4710272998f1d0

SHA1
5770afecb5e4cd0b8061ae276ec64fc34d1f384f

SHA256
a1b43c40669da62dfcebf3128f1dcc0e18fb665fe283fc1dca50046d6d303c79

SHA512
5bc285a59924c9c46b7d8a772f69a498cac981497450844ab2a598acba7e29c6c88e16c3b50b1b9855bb2d62c328da5aae29bd88e47010b371bbee1d728b6d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
19f3e7150fe9dfd567638e9871baf39c

SHA1
6e02769ea44c88c7edaff40eccf27cfe38850003

SHA256
6a7b669f68c22832bbb9dbe0429d5a11f8761ff4903f907e788ffa8bd10c9e16

SHA512
3365c716cf315d4ab88a87776ad2d109b3f1abbec92e7ca11c612603b2c804e68ba6c93d87e9a7ba43493eacd02edbc947a92c556e0f2d6917bbb1713b15c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojmoyl.exe

Filesize
381KB

MD5
3790e08fdbfe4a7ed24bfabb08deba2c

SHA1
1beb8cb7d9f3fcd4fe33a5c9cec2d2d15c100dd6

SHA256
f53210ebfc2b6d47be470d7623135b403026aedd7d2293cbcc351af22cd20111

SHA512
ff39ed8531e84c32a3160e4f4d9ed861a15ff59c79ef0d0b1e4cb0e29abac217f8e3fc2079d882cd31e73361c388848795e9f696b7043b09cb05fa4222256a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5A.tmp

Filesize
627KB

MD5
35ef86b5a01b9fde078dc068753c9c48

SHA1
d7225655d7f28da136377cffd8ad22a4cd4131ea

SHA256
f18654eaeb64e5dd782aad8152fcb30e2ef7401278564bb7028bc0e54e45d7f0

SHA512
b2c99161bdaa907da964f18281b5b7242e0eef2b16aff7ec2c1ea816cc913e0d82680ca95973ed14592b34f1bfdb6fca08d9b2046012a9268d5ccaa627c4bd4a

Download Submit
\Users\Admin\AppData\Local\Temp\edkekl.exe

Filesize
626KB

MD5
17f982d9bb6790ebcf4710272998f1d0

SHA1
5770afecb5e4cd0b8061ae276ec64fc34d1f384f

SHA256
a1b43c40669da62dfcebf3128f1dcc0e18fb665fe283fc1dca50046d6d303c79

SHA512
5bc285a59924c9c46b7d8a772f69a498cac981497450844ab2a598acba7e29c6c88e16c3b50b1b9855bb2d62c328da5aae29bd88e47010b371bbee1d728b6d10

Download Submit
\Users\Admin\AppData\Local\Temp\ojmoyl.exe

Filesize
381KB

MD5
3790e08fdbfe4a7ed24bfabb08deba2c

SHA1
1beb8cb7d9f3fcd4fe33a5c9cec2d2d15c100dd6

SHA256
f53210ebfc2b6d47be470d7623135b403026aedd7d2293cbcc351af22cd20111

SHA512
ff39ed8531e84c32a3160e4f4d9ed861a15ff59c79ef0d0b1e4cb0e29abac217f8e3fc2079d882cd31e73361c388848795e9f696b7043b09cb05fa4222256a87

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5A.tmp

Filesize
627KB

MD5
35ef86b5a01b9fde078dc068753c9c48

SHA1
d7225655d7f28da136377cffd8ad22a4cd4131ea

SHA256
f18654eaeb64e5dd782aad8152fcb30e2ef7401278564bb7028bc0e54e45d7f0

SHA512
b2c99161bdaa907da964f18281b5b7242e0eef2b16aff7ec2c1ea816cc913e0d82680ca95973ed14592b34f1bfdb6fca08d9b2046012a9268d5ccaa627c4bd4a

Download Submit
memory/904-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/904-75-0x0000000000000000-mapping.dmp

Download
memory/1344-66-0x0000000000000000-mapping.dmp

Download
memory/1440-63-0x0000000000000000-mapping.dmp

Download
memory/1440-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1440-78-0x0000000003660000-0x000000000379E000-memory.dmp

Filesize
1.2MB

Download
memory/1696-57-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1696-71-0x0000000002C70000-0x0000000002D4E000-memory.dmp

Filesize
888KB

Download
memory/1696-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1988-68-0x0000000001F70000-0x000000000204E000-memory.dmp

Filesize
888KB

Download
memory/1988-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1988-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1988-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download