836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88

Analysis

max time kernel
152s
max time network
75s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe
Size

724KB
MD5

d55dd31e356cff69373d1de97d7e4570
SHA1

3cf0a8ac48281905044cb452a97a56bf7289c605
SHA256

836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88
SHA512

2a1bb53c67d8b062e5d023e06886cd7ef403f312049ae75b2fdd1eb78537ac6fe165bb82b1c7f27773e8e608ff4b49b679ddfa098445280666f73d948ee1bc03
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1968	gidisyc.exe
564	~DFA4F.tmp
1524	leraruz.exe

Deletes itself 1 IoCs

pid	Process
548	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe
1968	gidisyc.exe
564	~DFA4F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe
1524	leraruz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	~DFA4F.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1968	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	27
PID 960 wrote to memory of 1968	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	27
PID 960 wrote to memory of 1968	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	27
PID 960 wrote to memory of 1968	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	27
PID 960 wrote to memory of 548	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	28
PID 960 wrote to memory of 548	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	28
PID 960 wrote to memory of 548	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	28
PID 960 wrote to memory of 548	960	836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe	28
PID 1968 wrote to memory of 564	1968	gidisyc.exe	29
PID 1968 wrote to memory of 564	1968	gidisyc.exe	29
PID 1968 wrote to memory of 564	1968	gidisyc.exe	29
PID 1968 wrote to memory of 564	1968	gidisyc.exe	29
PID 564 wrote to memory of 1524	564	~DFA4F.tmp	31
PID 564 wrote to memory of 1524	564	~DFA4F.tmp	31
PID 564 wrote to memory of 1524	564	~DFA4F.tmp	31
PID 564 wrote to memory of 1524	564	~DFA4F.tmp	31

C:\Users\Admin\AppData\Local\Temp\836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe
"C:\Users\Admin\AppData\Local\Temp\836c6fbb9069d39a255c7639ce5f330b7f773662f24235bbf2327f8c1db3ea88.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\gidisyc.exe
  C:\Users\Admin\AppData\Local\Temp\gidisyc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\leraruz.exe
      "C:\Users\Admin\AppData\Local\Temp\leraruz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
63d75ba0d8870a4886fff6a83f23f54c

SHA1
fad26ce744c0c4e8f03d8e34bf8700b2788d23de

SHA256
65523e73cd92d22a3bf5337e86600a57da6e53039c3d98ff878962a64c6ddf7a

SHA512
22b35678ade32d60e3db81bc12d1e2d5ec47282a48415c60e878cfb33903cf7f7c336800d90c33626613ffd4d7ed4e479524409554f4a9f4b5660ba50334f211

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\gidisyc.exe

Filesize
733KB

MD5
d528670126273793a103a139977cf898

SHA1
b4fbc19176a8ab5a56bdbe113c4ab134d2e51cf4

SHA256
e07681babac305291c403cf7794c069fb6fa25f7f7fe1904258b631deb122856

SHA512
5f7a4550e432db540004ff848eb20ea70f984fc4cbf3fb06936e57b7fe1eba3b7e5c5e3abdbb4ab121c3303dd8b8648e5471e735a48e8eac38ca68f8cd0fa54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gidisyc.exe

Filesize
733KB

MD5
d528670126273793a103a139977cf898

SHA1
b4fbc19176a8ab5a56bdbe113c4ab134d2e51cf4

SHA256
e07681babac305291c403cf7794c069fb6fa25f7f7fe1904258b631deb122856

SHA512
5f7a4550e432db540004ff848eb20ea70f984fc4cbf3fb06936e57b7fe1eba3b7e5c5e3abdbb4ab121c3303dd8b8648e5471e735a48e8eac38ca68f8cd0fa54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
e2d168bf85dd4dc6fb59d32cb1494c41

SHA1
b0542c7b27bdd3677d848a7e9ba7311fa0a5425a

SHA256
2f9382b631bdd69a37f408787ce73c0d3c10c2ed88fb873293f47436179513fb

SHA512
a22f2ddc02debcd21aa27d7d52d35a150f044934fb4aab9f697a8c88bd417d99f11ebb9f967ca28c060c25b4572bda1c6821ee9be94fb024267339b12113cf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\leraruz.exe

Filesize
405KB

MD5
0e0d90b2f95ab5a1a981573ff045d96a

SHA1
f71bcc89e1b48e90554605f6291c89cace6f0212

SHA256
33bba2a36db84e6edc8f322bcf4d074343f97e582a3b20bb7fc5d5abdd892717

SHA512
4a9318ea431d55d6e714352850a3f3e8dc2e6832bfec1559be8a5416cd70dbd64eda3a71b31a5d5da6844cd6ab65e2372c02590f4abee4eac898fc9b901e5a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp

Filesize
742KB

MD5
554f56c9fbdbba70c36ffa4f4431725f

SHA1
44344187ea0178acce5af648093ca6f7f2fdcf90

SHA256
776e065a7df6e44532cd383050a94dd180375e8fd5c822903b845f9e55eef03e

SHA512
7ba9cfb600d6e505a404cd3c7ff8d68d8942d8428b8cde9f4639d1044f5ed2cab1303c363eb64a9b53395375bbba683ca249e207e35d21c36d74dffdce9d845e

Download Submit
\Users\Admin\AppData\Local\Temp\gidisyc.exe

Filesize
733KB

MD5
d528670126273793a103a139977cf898

SHA1
b4fbc19176a8ab5a56bdbe113c4ab134d2e51cf4

SHA256
e07681babac305291c403cf7794c069fb6fa25f7f7fe1904258b631deb122856

SHA512
5f7a4550e432db540004ff848eb20ea70f984fc4cbf3fb06936e57b7fe1eba3b7e5c5e3abdbb4ab121c3303dd8b8648e5471e735a48e8eac38ca68f8cd0fa54e

Download Submit
\Users\Admin\AppData\Local\Temp\leraruz.exe

Filesize
405KB

MD5
0e0d90b2f95ab5a1a981573ff045d96a

SHA1
f71bcc89e1b48e90554605f6291c89cace6f0212

SHA256
33bba2a36db84e6edc8f322bcf4d074343f97e582a3b20bb7fc5d5abdd892717

SHA512
4a9318ea431d55d6e714352850a3f3e8dc2e6832bfec1559be8a5416cd70dbd64eda3a71b31a5d5da6844cd6ab65e2372c02590f4abee4eac898fc9b901e5a93

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4F.tmp

Filesize
742KB

MD5
554f56c9fbdbba70c36ffa4f4431725f

SHA1
44344187ea0178acce5af648093ca6f7f2fdcf90

SHA256
776e065a7df6e44532cd383050a94dd180375e8fd5c822903b845f9e55eef03e

SHA512
7ba9cfb600d6e505a404cd3c7ff8d68d8942d8428b8cde9f4639d1044f5ed2cab1303c363eb64a9b53395375bbba683ca249e207e35d21c36d74dffdce9d845e

Download Submit
memory/564-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/564-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/564-77-0x0000000003520000-0x000000000365E000-memory.dmp

Filesize
1.2MB

Download
memory/960-67-0x0000000001F60000-0x000000000203E000-memory.dmp

Filesize
888KB

Download
memory/960-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1524-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1968-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download