0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab

Analysis

max time kernel
153s
max time network
89s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe
Size

562KB
MD5

53431fd2a17ea9cde5708cbf31c426f0
SHA1

dcf7a1b93972139da4b3843a53d9ea24ec9a73b9
SHA256

0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab
SHA512

ee2c84fd8a2ae04ee7601ee9c9ec3e5725764ee0f482244f5b8ee685626884276501b0f4da535e2b18c45f0ce1ce04ff06dd9209c13d8ea69aade641e35c3ad3
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

xafysi.exe~DFA78.tmpemlar.exe

pid process

1812 xafysi.exe
984 ~DFA78.tmp
1720 emlar.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2036 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exexafysi.exe~DFA78.tmp

pid process

1612 0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe
1812 xafysi.exe
984 ~DFA78.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1812	xafysi.exe
984	~DFA78.tmp
1720	emlar.exe

pid	process
2036	cmd.exe

pid	process
1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe
1812	xafysi.exe
984	~DFA78.tmp

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

emlar.exe

pid	process
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe
1720	emlar.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA78.tmp

description pid process

Token: SeDebugPrivilege 984 ~DFA78.tmp

description	pid	process
Token: SeDebugPrivilege	984	~DFA78.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exexafysi.exe~DFA78.tmp

description	pid	process	target process
PID 1612 wrote to memory of 1812	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	xafysi.exe
PID 1612 wrote to memory of 1812	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	xafysi.exe
PID 1612 wrote to memory of 1812	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	xafysi.exe
PID 1612 wrote to memory of 1812	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	xafysi.exe
PID 1812 wrote to memory of 984	1812	xafysi.exe	~DFA78.tmp
PID 1812 wrote to memory of 984	1812	xafysi.exe	~DFA78.tmp
PID 1812 wrote to memory of 984	1812	xafysi.exe	~DFA78.tmp
PID 1812 wrote to memory of 984	1812	xafysi.exe	~DFA78.tmp
PID 1612 wrote to memory of 2036	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	cmd.exe
PID 1612 wrote to memory of 2036	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	cmd.exe
PID 1612 wrote to memory of 2036	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	cmd.exe
PID 1612 wrote to memory of 2036	1612	0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe	cmd.exe
PID 984 wrote to memory of 1720	984	~DFA78.tmp	emlar.exe
PID 984 wrote to memory of 1720	984	~DFA78.tmp	emlar.exe
PID 984 wrote to memory of 1720	984	~DFA78.tmp	emlar.exe
PID 984 wrote to memory of 1720	984	~DFA78.tmp	emlar.exe

C:\Users\Admin\AppData\Local\Temp\0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe
"C:\Users\Admin\AppData\Local\Temp\0b05e66003ecc33867ab0066a2de3469edf9af02779edc0893b6ef718a54c8ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\xafysi.exe
  C:\Users\Admin\AppData\Local\Temp\xafysi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\emlar.exe
      "C:\Users\Admin\AppData\Local\Temp\emlar.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
4282e8486c98b4bd27ac3657d8c57693

SHA1
950491db376bd9dd043e24c19d3dde951077df24

SHA256
72b6b6549cf55131108874c480675a74e59e9cd716c87a188a17f589ad07e538

SHA512
a7fa7ca9d79103e3906bbc89c3fe8f91c48137fd5412d11c54ac528b0adade59b7129e392b66e5d8e388e364b74d6d89e73518127d5d0a8dc1f40e3d1dc366d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\emlar.exe

Filesize
396KB

MD5
6e50750d27790b81626b53ff8aa0a654

SHA1
14e35df44e7248a795c83f093d3fa5a6c4da06f3

SHA256
3720201096fb5f35dd9ea923b6f091d92dc42c975381caec6ad6b8bb1c365718

SHA512
a61eb8336fd722169ff7b8cfc7f16c3d64d98a8f8b9e3bd6e4ca722a4f08ff8828ebca982c88c0d3cd96d3c0c1111834fea553ae2eaa9f110c9b654582b4d320

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
5047afa7917465b4349a960c085b351c

SHA1
f23cb7715c13b49822bf8be49f8be5e22063c069

SHA256
0f28909ec92593fdc6406bd3153e0ba6ef90d13d1001269b13895a8271772008

SHA512
bc764a098904e2f91b78d5bdeaa8dfe9d552e18c1204d8616cd55c082d05fb13b84e6ff35d6c20fd2d666c704a89fa10fa9a659750ff5b186435b3a92b301753

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafysi.exe

Filesize
569KB

MD5
d4bcf1607b45e896be2596312ac3a23d

SHA1
a645f888059532e3d75509889b269dadddc70786

SHA256
6132bb6f7d47631ee9e37e313736174a2b7f09aa48f5b33dd7fdc6541fe3888c

SHA512
3ede0a92e5ca51b6e18ab63132bf31087a06f782b98d7b93c03f83a12641ce61839fbe1da03ddc29c237bc89de35c66128b8242497a536a5a4f7f4cf1e23e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafysi.exe

Filesize
569KB

MD5
d4bcf1607b45e896be2596312ac3a23d

SHA1
a645f888059532e3d75509889b269dadddc70786

SHA256
6132bb6f7d47631ee9e37e313736174a2b7f09aa48f5b33dd7fdc6541fe3888c

SHA512
3ede0a92e5ca51b6e18ab63132bf31087a06f782b98d7b93c03f83a12641ce61839fbe1da03ddc29c237bc89de35c66128b8242497a536a5a4f7f4cf1e23e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA78.tmp

Filesize
569KB

MD5
0b9771d1912ed21b119d2a1ec43bbac6

SHA1
5ce51da1d9b0c300015d7102375877822de9d440

SHA256
6b3563e3f6f5d0b5b7ba858c5fc08a4a5d2d57e0b64c920fe55277e0aa21576e

SHA512
86efaf2b580b3bd182cac03e64d2cf58a0f32b0be26c6a24fa6fef66e9e1092e540fca3a3433f5426d5d811c6420eac2862f1862d2c1518d82ad5e9e36acafbc

Download Submit
\Users\Admin\AppData\Local\Temp\emlar.exe

Filesize
396KB

MD5
6e50750d27790b81626b53ff8aa0a654

SHA1
14e35df44e7248a795c83f093d3fa5a6c4da06f3

SHA256
3720201096fb5f35dd9ea923b6f091d92dc42c975381caec6ad6b8bb1c365718

SHA512
a61eb8336fd722169ff7b8cfc7f16c3d64d98a8f8b9e3bd6e4ca722a4f08ff8828ebca982c88c0d3cd96d3c0c1111834fea553ae2eaa9f110c9b654582b4d320

Download Submit
\Users\Admin\AppData\Local\Temp\xafysi.exe

Filesize
569KB

MD5
d4bcf1607b45e896be2596312ac3a23d

SHA1
a645f888059532e3d75509889b269dadddc70786

SHA256
6132bb6f7d47631ee9e37e313736174a2b7f09aa48f5b33dd7fdc6541fe3888c

SHA512
3ede0a92e5ca51b6e18ab63132bf31087a06f782b98d7b93c03f83a12641ce61839fbe1da03ddc29c237bc89de35c66128b8242497a536a5a4f7f4cf1e23e1c9

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA78.tmp

Filesize
569KB

MD5
0b9771d1912ed21b119d2a1ec43bbac6

SHA1
5ce51da1d9b0c300015d7102375877822de9d440

SHA256
6b3563e3f6f5d0b5b7ba858c5fc08a4a5d2d57e0b64c920fe55277e0aa21576e

SHA512
86efaf2b580b3bd182cac03e64d2cf58a0f32b0be26c6a24fa6fef66e9e1092e540fca3a3433f5426d5d811c6420eac2862f1862d2c1518d82ad5e9e36acafbc

Download Submit
memory/984-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/984-65-0x0000000000000000-mapping.dmp

Download
memory/984-77-0x00000000034C0000-0x00000000035FE000-memory.dmp

Filesize
1.2MB

Download
memory/984-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1612-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1612-61-0x0000000001E70000-0x0000000001F4E000-memory.dmp

Filesize
888KB

Download
memory/1720-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1720-75-0x0000000000000000-mapping.dmp

Download
memory/1812-57-0x0000000000000000-mapping.dmp

Download
memory/1812-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1812-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2036-70-0x0000000000000000-mapping.dmp

Download