20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2

Analysis

max time kernel
219s
max time network
238s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe
Size

679KB
MD5

42fd316c685fd6af4108ea0e93f44b50
SHA1

c7a0bb9607dcca3f0707ce551cb24df187f5989c
SHA256

20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2
SHA512

b5293145f4a352ae65ed00907fd7c4864d8624fd8315d9ce2c7af969f6fa0741ef7c797abbe0b989714088dbd3c9b765b3f5598d425601192a6fa0e52c3aa187
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

rodyfyb.exe~DFAF1.tmpypsomub.exe

pid process

1904 rodyfyb.exe
1844 ~DFAF1.tmp
1476 ypsomub.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1032 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exerodyfyb.exe~DFAF1.tmp

pid process

668 20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe
1904 rodyfyb.exe
1844 ~DFAF1.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1904	rodyfyb.exe
1844	~DFAF1.tmp
1476	ypsomub.exe

pid	process
1032	cmd.exe

pid	process
668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe
1904	rodyfyb.exe
1844	~DFAF1.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ypsomub.exe

pid	process
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe
1476	ypsomub.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFAF1.tmp

description pid process

Token: SeDebugPrivilege 1844 ~DFAF1.tmp

description	pid	process
Token: SeDebugPrivilege	1844	~DFAF1.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exerodyfyb.exe~DFAF1.tmp

description	pid	process	target process
PID 668 wrote to memory of 1904	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	rodyfyb.exe
PID 668 wrote to memory of 1904	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	rodyfyb.exe
PID 668 wrote to memory of 1904	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	rodyfyb.exe
PID 668 wrote to memory of 1904	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	rodyfyb.exe
PID 1904 wrote to memory of 1844	1904	rodyfyb.exe	~DFAF1.tmp
PID 1904 wrote to memory of 1844	1904	rodyfyb.exe	~DFAF1.tmp
PID 1904 wrote to memory of 1844	1904	rodyfyb.exe	~DFAF1.tmp
PID 1904 wrote to memory of 1844	1904	rodyfyb.exe	~DFAF1.tmp
PID 668 wrote to memory of 1032	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	cmd.exe
PID 668 wrote to memory of 1032	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	cmd.exe
PID 668 wrote to memory of 1032	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	cmd.exe
PID 668 wrote to memory of 1032	668	20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe	cmd.exe
PID 1844 wrote to memory of 1476	1844	~DFAF1.tmp	ypsomub.exe
PID 1844 wrote to memory of 1476	1844	~DFAF1.tmp	ypsomub.exe
PID 1844 wrote to memory of 1476	1844	~DFAF1.tmp	ypsomub.exe
PID 1844 wrote to memory of 1476	1844	~DFAF1.tmp	ypsomub.exe

C:\Users\Admin\AppData\Local\Temp\20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe
"C:\Users\Admin\AppData\Local\Temp\20fdf7447d55afd9c277cb130d1b2b2e2f3b29cd7ce1ff71e22195300c58c7a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\rodyfyb.exe
C:\Users\Admin\AppData\Local\Temp\rodyfyb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\~DFAF1.tmp
C:\Users\Admin\AppData\Local\Temp\~DFAF1.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\ypsomub.exe
"C:\Users\Admin\AppData\Local\Temp\ypsomub.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
86d200d1708ff1de414aaec5fbf799b3

SHA1
2e262e2fce91dc3efee2f4fb6fb4048f203f45af

SHA256
e59d365160d71293b3473d6baac4a951ed90072201f409e9c781d8949383f88c

SHA512
eee8055e87ff4c852dc47f60514da8c40859069dfb36edd62728542c1907189c8702323cfaecbff14c6ed6e40b86ce31d63d9b39eade243f4c2fcecfec0e1c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
c54f659ac8336c4433f23a8b395f0288

SHA1
996aaad936a27e866f545be9793d840e8cd958ab

SHA256
49b57148468a840257168fc4e92d7db0c9cbeb98f60680f58055292d60484861

SHA512
85f471cbc0ecfe76bff9603c8bb58636fe2b91b014d93aeee7efcfc5bf1143e1a5a0e70661b2e30fc79abebe8627d56d1a1bd32e5cf73cd79aadf3a53c1506ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rodyfyb.exe

Filesize
681KB

MD5
963b8cb06cd8fc98b62895e891c7f024

SHA1
9a9ec1d925b2e754ffbf6849436c0a246ff1aff9

SHA256
987e9f0ddb50c8940c2dc56f243501bf743f06e2bdf8f533bfbdecff30739959

SHA512
a701221fa2585b883a5ee3ee3a657927ad6f17083ce47eb847a8ce65964e489b7f1cab013e35ebfc154c6499bada47ddaf8d4d9515887d878e70798ece5b5da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rodyfyb.exe

Filesize
681KB

MD5
963b8cb06cd8fc98b62895e891c7f024

SHA1
9a9ec1d925b2e754ffbf6849436c0a246ff1aff9

SHA256
987e9f0ddb50c8940c2dc56f243501bf743f06e2bdf8f533bfbdecff30739959

SHA512
a701221fa2585b883a5ee3ee3a657927ad6f17083ce47eb847a8ce65964e489b7f1cab013e35ebfc154c6499bada47ddaf8d4d9515887d878e70798ece5b5da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypsomub.exe

Filesize
419KB

MD5
a8b385f4141a3473a76b64750f32a698

SHA1
a465c714e7f14e4af17c2569348de9ad08341d60

SHA256
f0bf1f4d339cbd5df42c73a9850f5113b01786fe798084961fb70c3353a80d38

SHA512
a64de127a90ddd4dfc4377621179cbb8aec3bf4d3d87fee444026e4f05bc9b016c5333431ea236fc86aab54d87bd00c0c980044607f5fc16e6f7965c943caf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFAF1.tmp

Filesize
683KB

MD5
0d10987cc1efcf67f22bae3ad55c2391

SHA1
3636f81bd9f9039e24339f2dd43c32d9db17324a

SHA256
b57e06b608014b4064723c1042ffa1eae27b7cb2ba9dcb6c88891e0a89b11000

SHA512
385a2cd30d4f57fe6f36d3aef5113dcc8f229eab5368baefc23fcfe9d8dbfe135f6e967b183bf59c9cfe903f8c2f8b233d70435c3375ec7e002d7b5bea3af190

Download Submit
\Users\Admin\AppData\Local\Temp\rodyfyb.exe

Filesize
681KB

MD5
963b8cb06cd8fc98b62895e891c7f024

SHA1
9a9ec1d925b2e754ffbf6849436c0a246ff1aff9

SHA256
987e9f0ddb50c8940c2dc56f243501bf743f06e2bdf8f533bfbdecff30739959

SHA512
a701221fa2585b883a5ee3ee3a657927ad6f17083ce47eb847a8ce65964e489b7f1cab013e35ebfc154c6499bada47ddaf8d4d9515887d878e70798ece5b5da9

Download Submit
\Users\Admin\AppData\Local\Temp\ypsomub.exe

Filesize
419KB

MD5
a8b385f4141a3473a76b64750f32a698

SHA1
a465c714e7f14e4af17c2569348de9ad08341d60

SHA256
f0bf1f4d339cbd5df42c73a9850f5113b01786fe798084961fb70c3353a80d38

SHA512
a64de127a90ddd4dfc4377621179cbb8aec3bf4d3d87fee444026e4f05bc9b016c5333431ea236fc86aab54d87bd00c0c980044607f5fc16e6f7965c943caf93

Download Submit
\Users\Admin\AppData\Local\Temp\~DFAF1.tmp

Filesize
683KB

MD5
0d10987cc1efcf67f22bae3ad55c2391

SHA1
3636f81bd9f9039e24339f2dd43c32d9db17324a

SHA256
b57e06b608014b4064723c1042ffa1eae27b7cb2ba9dcb6c88891e0a89b11000

SHA512
385a2cd30d4f57fe6f36d3aef5113dcc8f229eab5368baefc23fcfe9d8dbfe135f6e967b183bf59c9cfe903f8c2f8b233d70435c3375ec7e002d7b5bea3af190

Download Submit
memory/668-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/668-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/668-69-0x0000000001E60000-0x0000000001F3E000-memory.dmp

Filesize
888KB

Download
memory/668-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/668-56-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1032-67-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x0000000000000000-mapping.dmp

Download
memory/1476-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1844-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1844-64-0x0000000000000000-mapping.dmp

Download
memory/1844-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1844-78-0x0000000003820000-0x000000000395E000-memory.dmp

Filesize
1.2MB

Download
memory/1904-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1904-58-0x0000000000000000-mapping.dmp

Download