58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423

Analysis

max time kernel
151s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Size

685KB
MD5

95b51c28ce2f926b597bdf572250cd90
SHA1

18bece471bcd283e76c7e28c3c6a5eda59b20d8f
SHA256

58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423
SHA512

93008f0d344a71e5e9f357e8b90d5a0e7d925c596549f346df9e0b82d96a984e98bde0147bcb4a7b104bab620322336686ab97061c425183d91367c89b7415ec
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
820	hyymsyv.exe
1624	~DFA5D.tmp
624	izvycov.exe

Deletes itself 1 IoCs

pid	Process
660	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
820	hyymsyv.exe
1624	~DFA5D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe
624	izvycov.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	~DFA5D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 820	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	26
PID 1376 wrote to memory of 820	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	26
PID 1376 wrote to memory of 820	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	26
PID 1376 wrote to memory of 820	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	26
PID 820 wrote to memory of 1624	820	hyymsyv.exe	27
PID 820 wrote to memory of 1624	820	hyymsyv.exe	27
PID 820 wrote to memory of 1624	820	hyymsyv.exe	27
PID 820 wrote to memory of 1624	820	hyymsyv.exe	27
PID 1376 wrote to memory of 660	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	28
PID 1376 wrote to memory of 660	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	28
PID 1376 wrote to memory of 660	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	28
PID 1376 wrote to memory of 660	1376	58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe	28
PID 1624 wrote to memory of 624	1624	~DFA5D.tmp	30
PID 1624 wrote to memory of 624	1624	~DFA5D.tmp	30
PID 1624 wrote to memory of 624	1624	~DFA5D.tmp	30
PID 1624 wrote to memory of 624	1624	~DFA5D.tmp	30

C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
"C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\hyymsyv.exe
  C:\Users\Admin\AppData\Local\Temp\hyymsyv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\izvycov.exe
      "C:\Users\Admin\AppData\Local\Temp\izvycov.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
12c73c2dd7c93f9ec2cf31e3cf281cad

SHA1
89d568ae53426e646438e65d7cb143198aaa2177

SHA256
b7844fc53a2e3a1b7d556a889350f817735ce24979dcfb3993cfa75f191509a4

SHA512
100084c08a23c5c4da2502ba745504747e2d32714c6eb50a90a78e4e6abccac5b97e10bac719784b66406cefd34584ba47b802c28be10f172230ea39d636a90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
33e5ca8dc9340acb79c2ade8d03b7b6b

SHA1
b5f1aeef7001d1f35d91c1851058b9e0dc74d14a

SHA256
7bc0ec0b4e364040ceb14b0fda967eafd29bb2ee19ae37191462af30b2b050a6

SHA512
475269fb7c1a16045eaff21d265bf88ecf788ef205a31cb1753a3c1bdcaf5ef97cfbd0ec1823e3114d0ecdfaba161f938e5e305bfe41e1d4f071fc966cbaeee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyymsyv.exe

Filesize
688KB

MD5
a9e7832317d3e111f4b5878014704621

SHA1
545fe50e2ab6395a2f42c15c1be01fb0862a142a

SHA256
8feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17

SHA512
8ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyymsyv.exe

Filesize
688KB

MD5
a9e7832317d3e111f4b5878014704621

SHA1
545fe50e2ab6395a2f42c15c1be01fb0862a142a

SHA256
8feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17

SHA512
8ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izvycov.exe

Filesize
400KB

MD5
e1aa040092373cb372c12139e31223ce

SHA1
06adf65167a4cd0a639399340e0523ec4a86432b

SHA256
0040ec4fff2157424e978bce10e2fc72d0affead11ef3a1d748a7ea81de97426

SHA512
a4d776c43028ddbcb96b90f28113f6f97ac84d4f5aa3b753c5f2941d6f9cf87237a6d759b5e8a97817774f30f989eab82ac7c7cd154d5e43fc223973802f7e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
692KB

MD5
cb38afb7f146f89bc6b244864a73be39

SHA1
e73d1de3d083705206aceebd6ca23dd4ceec36cf

SHA256
1e24b0a95f6a473c21eab5504e849e796300c76fcea983a7df2260bc7fb0a30d

SHA512
72491e6b8b602aa50b651f433bbeaff512cb0d93424214e5c2b49a2e0453f66ac4f1359504b17ea43477af6f07e170df714438c2b1fbbdd48d53172c29ab2f89

Download Submit
\Users\Admin\AppData\Local\Temp\hyymsyv.exe

Filesize
688KB

MD5
a9e7832317d3e111f4b5878014704621

SHA1
545fe50e2ab6395a2f42c15c1be01fb0862a142a

SHA256
8feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17

SHA512
8ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d

Download Submit
\Users\Admin\AppData\Local\Temp\izvycov.exe

Filesize
400KB

MD5
e1aa040092373cb372c12139e31223ce

SHA1
06adf65167a4cd0a639399340e0523ec4a86432b

SHA256
0040ec4fff2157424e978bce10e2fc72d0affead11ef3a1d748a7ea81de97426

SHA512
a4d776c43028ddbcb96b90f28113f6f97ac84d4f5aa3b753c5f2941d6f9cf87237a6d759b5e8a97817774f30f989eab82ac7c7cd154d5e43fc223973802f7e08

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5D.tmp

Filesize
692KB

MD5
cb38afb7f146f89bc6b244864a73be39

SHA1
e73d1de3d083705206aceebd6ca23dd4ceec36cf

SHA256
1e24b0a95f6a473c21eab5504e849e796300c76fcea983a7df2260bc7fb0a30d

SHA512
72491e6b8b602aa50b651f433bbeaff512cb0d93424214e5c2b49a2e0453f66ac4f1359504b17ea43477af6f07e170df714438c2b1fbbdd48d53172c29ab2f89

Download Submit
memory/624-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/820-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/820-71-0x0000000002BE0000-0x0000000002CBE000-memory.dmp

Filesize
888KB

Download
memory/820-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1376-69-0x0000000001E40000-0x0000000001F1E000-memory.dmp

Filesize
888KB

Download
memory/1376-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1376-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1624-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1624-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1624-79-0x0000000003890000-0x00000000039CE000-memory.dmp

Filesize
1.2MB

Download