66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c

General

Target

66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
Size

477KB
MD5

6987e9b81baccbb1dee2feff78dee9d0
SHA1

018411350364a911a5022355e0de7aa532ab249e
SHA256

66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c
SHA512

5657e7b25bf72a08bce0eaf875193c8f14e20841cb4cb054fe87b9c6ba5c489f62d8dcdd20f97ed9a7719cea0a9e31edcb2743bde7e7654a1a2726d2d8a01316
SSDEEP

12288:9PTveekpmU2GxQA5dZWkZK6nPqM+WcD4ellNrr/w:9I24QAhWhWMHD4MlNHw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1812	jisyx.exe
652	dytoc.exe

Deletes itself 1 IoCs

pid	Process
1548	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
1812	jisyx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe
652	dytoc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1812	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	27
PID 1192 wrote to memory of 1812	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	27
PID 1192 wrote to memory of 1812	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	27
PID 1192 wrote to memory of 1812	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	27
PID 1192 wrote to memory of 1548	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	28
PID 1192 wrote to memory of 1548	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	28
PID 1192 wrote to memory of 1548	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	28
PID 1192 wrote to memory of 1548	1192	66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe	28
PID 1812 wrote to memory of 652	1812	jisyx.exe	30
PID 1812 wrote to memory of 652	1812	jisyx.exe	30
PID 1812 wrote to memory of 652	1812	jisyx.exe	30
PID 1812 wrote to memory of 652	1812	jisyx.exe	30

C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
"C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\jisyx.exe
  "C:\Users\Admin\AppData\Local\Temp\jisyx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\dytoc.exe
    "C:\Users\Admin\AppData\Local\Temp\dytoc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c8dfed3e6f1f85f6187468df9a969ed5

SHA1
60f3e21aff4c99c4cd370b8605b8e0c0df475915

SHA256
6e02b80c26399e417a1823fe39edba9a86a4cd674f9f3f516a8b4a03a0b579b1

SHA512
f16453658c359b882b96c2a21f57ad2b09e731c1d5d2dbaed80b3ed2666b2007f591ece1eb28387abcd526b739f89b2b3cd821cf0cca5a313bb5860f4720c22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytoc.exe

Filesize
236KB

MD5
cd106fdbcc7159cdfc6faa7daa82927f

SHA1
9f96de0c0c965b9dc0f7d5c4d8dbc7db7bcaf31b

SHA256
95d8c16dde12bf8f7d72c37fbd695f6d0b3a625f2c865d8f2506d62f5a569bf8

SHA512
93950682e9312079f37e51ba2445b467e005896f36fb0af74ef3ea71a207586c3d906cd039f8eae3313dfa101154b00918556830e5530d470898d24fb4f8d5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3af7a109c8639c37ab664c458e95935f

SHA1
6bd618ee348ae4d02b600a8e967da656cdbae75a

SHA256
bf8737d77efb8b8ad5dbbe8dcb31fb2ab03e3d5f07435ad2741b2c853f57e736

SHA512
6cbf916222ce80add8786c99801144db27fa57d3895bc43a46c81b8d68f9292a0bb357acd8798863f07e25812b886c976725edada6bc80deb1ce4029ffffb0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jisyx.exe

Filesize
477KB

MD5
fddba537600452d2c4372c82f6c7b748

SHA1
45eb02e4742d3abb9eeaf0ff7a3a14d89ba4c7f7

SHA256
4d9dd0d54ed6069a31db28a145f692434d2a5091512d2a522f72b45a343b3942

SHA512
ec2034e22d06c44a174671ccf66929a49367aab38f8ab93da514441ecc191a976e34fb5d01d93a29050dfcf54a11ea415fe6e7e9c8ed2117ba5437b866cda767

Download Submit
C:\Users\Admin\AppData\Local\Temp\jisyx.exe

Filesize
477KB

MD5
fddba537600452d2c4372c82f6c7b748

SHA1
45eb02e4742d3abb9eeaf0ff7a3a14d89ba4c7f7

SHA256
4d9dd0d54ed6069a31db28a145f692434d2a5091512d2a522f72b45a343b3942

SHA512
ec2034e22d06c44a174671ccf66929a49367aab38f8ab93da514441ecc191a976e34fb5d01d93a29050dfcf54a11ea415fe6e7e9c8ed2117ba5437b866cda767

Download Submit
\Users\Admin\AppData\Local\Temp\dytoc.exe

Filesize
236KB

MD5
cd106fdbcc7159cdfc6faa7daa82927f

SHA1
9f96de0c0c965b9dc0f7d5c4d8dbc7db7bcaf31b

SHA256
95d8c16dde12bf8f7d72c37fbd695f6d0b3a625f2c865d8f2506d62f5a569bf8

SHA512
93950682e9312079f37e51ba2445b467e005896f36fb0af74ef3ea71a207586c3d906cd039f8eae3313dfa101154b00918556830e5530d470898d24fb4f8d5a7

Download Submit
\Users\Admin\AppData\Local\Temp\jisyx.exe

Filesize
477KB

MD5
fddba537600452d2c4372c82f6c7b748

SHA1
45eb02e4742d3abb9eeaf0ff7a3a14d89ba4c7f7

SHA256
4d9dd0d54ed6069a31db28a145f692434d2a5091512d2a522f72b45a343b3942

SHA512
ec2034e22d06c44a174671ccf66929a49367aab38f8ab93da514441ecc191a976e34fb5d01d93a29050dfcf54a11ea415fe6e7e9c8ed2117ba5437b866cda767

Download Submit
memory/652-70-0x0000000001270000-0x0000000001313000-memory.dmp

Filesize
652KB

Download
memory/1192-61-0x0000000000C50000-0x0000000000CDC000-memory.dmp

Filesize
560KB

Download
memory/1192-55-0x0000000000C50000-0x0000000000CDC000-memory.dmp

Filesize
560KB

Download
memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1812-62-0x00000000009A0000-0x0000000000A2C000-memory.dmp

Filesize
560KB

Download
memory/1812-68-0x00000000009A0000-0x0000000000A2C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing