9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82

Analysis

max time kernel
31s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
Size

1.1MB
MD5

72ebd575241617908d09582975506f7f
SHA1

b48203daa899f033ecff59aa608e869562a02aef
SHA256

9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82
SHA512

fab83ddceffe0925612a875c29248057f808cecca26e4eb57320fb8a3b59692a462bfd1493181a46effcedce655981bbe9305a487f1326e82350318455838e39
SSDEEP

24576:85QIzHyuhiDyrPRVu+7nV2IQYQyK2XL43q:85p6iPRVudDyrX86

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
980	xyq.exe
1480	ÃÎ»Ã.exe

Loads dropped DLL 7 IoCs

pid	Process
1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
980	xyq.exe
1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
1480	ÃÎ»Ã.exe
980	xyq.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdmhi32.cfg	ÃÎ»Ã.exe
File opened for modification	C:\Windows\SysWOW64\gdmhi32.dll	ÃÎ»Ã.exe
File created	C:\Windows\SysWOW64\gdmhi32.dll	ÃÎ»Ã.exe
File created	C:\Windows\SysWOW64\HookHelp.sys	ÃÎ»Ã.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1480	ÃÎ»Ã.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe
980	xyq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 980	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	27
PID 1940 wrote to memory of 980	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	27
PID 1940 wrote to memory of 980	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	27
PID 1940 wrote to memory of 980	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	27
PID 1940 wrote to memory of 1480	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	28
PID 1940 wrote to memory of 1480	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	28
PID 1940 wrote to memory of 1480	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	28
PID 1940 wrote to memory of 1480	1940	9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe	28
PID 1480 wrote to memory of 1976	1480	ÃÎ»Ã.exe	29
PID 1480 wrote to memory of 1976	1480	ÃÎ»Ã.exe	29
PID 1480 wrote to memory of 1976	1480	ÃÎ»Ã.exe	29
PID 1480 wrote to memory of 1976	1480	ÃÎ»Ã.exe	29

C:\Users\Admin\AppData\Local\Temp\9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe
"C:\Users\Admin\AppData\Local\Temp\9993e413840360a3184a2862756680d9842ca80db17af162b35fe9c4f8952b82.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\xyq.exe
  "C:\Users\Admin\AppData\Local\Temp\xyq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:980
- C:\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe
  "C:\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe"
    3⤵
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xyq.exe

Filesize
536KB

MD5
c951ce4ba0f17a748b17805b51d7b5d2

SHA1
8a5ed65e7a94206b8e0c7d1b781ff02a784cbad5

SHA256
f29ba8fc76ffcb44f92fa9c73275937aad4c51717db27a1700e09ecf20b4898b

SHA512
d2a1905ab0debc361a9b48645645b33ea3553525e8691e72002ecc01ea491df22e9bb5159ebc412a4a83a56401aa7a0cbdbc8da99fdd6a913b670d00542dd043

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyq.exe

Filesize
536KB

MD5
c951ce4ba0f17a748b17805b51d7b5d2

SHA1
8a5ed65e7a94206b8e0c7d1b781ff02a784cbad5

SHA256
f29ba8fc76ffcb44f92fa9c73275937aad4c51717db27a1700e09ecf20b4898b

SHA512
d2a1905ab0debc361a9b48645645b33ea3553525e8691e72002ecc01ea491df22e9bb5159ebc412a4a83a56401aa7a0cbdbc8da99fdd6a913b670d00542dd043

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe

Filesize
20KB

MD5
d0f8909c0a8e19fac9fe26cc6f3e5d76

SHA1
b18ba4d22eb89e1aa4c6bf3fb615def9110e1436

SHA256
3d5c0084464e502bef035357a954575a52f74bda400934d8dd93b9eadb4ba1d6

SHA512
ac1bdb3782a25567ccce770fdef7ec6b0d1bbf326551674238d94d0859f554061cd2f955e67b6ec92e2e3709e180ae0e0380b45e5d6cf40cac04c3e2d867af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe

Filesize
20KB

MD5
d0f8909c0a8e19fac9fe26cc6f3e5d76

SHA1
b18ba4d22eb89e1aa4c6bf3fb615def9110e1436

SHA256
3d5c0084464e502bef035357a954575a52f74bda400934d8dd93b9eadb4ba1d6

SHA512
ac1bdb3782a25567ccce770fdef7ec6b0d1bbf326551674238d94d0859f554061cd2f955e67b6ec92e2e3709e180ae0e0380b45e5d6cf40cac04c3e2d867af69

Download Submit
\Users\Admin\AppData\Local\Temp\E_60003\krnln.fnr

Filesize
996KB

MD5
ddaf7a94619cbeaac4e0c04dbf9bce99

SHA1
ff142c73c0237ce29ff594cb6c287e5d210370b5

SHA256
fb6522d23bdb2eb2a48b5ee6d3cdfba2d1dda848922ad99dc939d718a3ab383c

SHA512
730268e14454f0a778db85056ae383416ea337b962aac812c6761dbe3ca0e20176c2fc1c02585bd3843cff3779b8160a92e66c773b6febd6f5165c400f89cbce

Download Submit
\Users\Admin\AppData\Local\Temp\E_60003\xplib.fne

Filesize
40KB

MD5
1f9c82ece3c8f3bb23fe73538ffc57ef

SHA1
8b709ed09aeb296f1aa21d8a58c5086301e5853e

SHA256
02e71c2980dff2c5e6f737cca330d5abaf564f4a4f20ae48c03230eeb6ca8ec2

SHA512
9d682940ecc60aaacaac93d2f0333dc15c718014c2797821a6a6ce3090554fc6cb63aa56698c03f0850a71f139c68a3e42929bc5048a432ff5c11d24bd1f902d

Download Submit
\Users\Admin\AppData\Local\Temp\xyq.exe

Filesize
536KB

MD5
c951ce4ba0f17a748b17805b51d7b5d2

SHA1
8a5ed65e7a94206b8e0c7d1b781ff02a784cbad5

SHA256
f29ba8fc76ffcb44f92fa9c73275937aad4c51717db27a1700e09ecf20b4898b

SHA512
d2a1905ab0debc361a9b48645645b33ea3553525e8691e72002ecc01ea491df22e9bb5159ebc412a4a83a56401aa7a0cbdbc8da99fdd6a913b670d00542dd043

Download Submit
\Users\Admin\AppData\Local\Temp\xyq.exe

Filesize
536KB

MD5
c951ce4ba0f17a748b17805b51d7b5d2

SHA1
8a5ed65e7a94206b8e0c7d1b781ff02a784cbad5

SHA256
f29ba8fc76ffcb44f92fa9c73275937aad4c51717db27a1700e09ecf20b4898b

SHA512
d2a1905ab0debc361a9b48645645b33ea3553525e8691e72002ecc01ea491df22e9bb5159ebc412a4a83a56401aa7a0cbdbc8da99fdd6a913b670d00542dd043

Download Submit
\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe

Filesize
20KB

MD5
d0f8909c0a8e19fac9fe26cc6f3e5d76

SHA1
b18ba4d22eb89e1aa4c6bf3fb615def9110e1436

SHA256
3d5c0084464e502bef035357a954575a52f74bda400934d8dd93b9eadb4ba1d6

SHA512
ac1bdb3782a25567ccce770fdef7ec6b0d1bbf326551674238d94d0859f554061cd2f955e67b6ec92e2e3709e180ae0e0380b45e5d6cf40cac04c3e2d867af69

Download Submit
\Users\Admin\AppData\Local\Temp\ÃÎ»Ã.exe

Filesize
20KB

MD5
d0f8909c0a8e19fac9fe26cc6f3e5d76

SHA1
b18ba4d22eb89e1aa4c6bf3fb615def9110e1436

SHA256
3d5c0084464e502bef035357a954575a52f74bda400934d8dd93b9eadb4ba1d6

SHA512
ac1bdb3782a25567ccce770fdef7ec6b0d1bbf326551674238d94d0859f554061cd2f955e67b6ec92e2e3709e180ae0e0380b45e5d6cf40cac04c3e2d867af69

Download Submit
\Windows\SysWOW64\gdmhi32.dll

Filesize
17KB

MD5
32ed7e20012ca3d8cf49db73c7933270

SHA1
93ba59e87a7747ddca96b78225cb185f55827883

SHA256
aef7f0e3b0c53c49e56ce0320c5644a3500edeaa121d42516bcd775337836f8a

SHA512
2ffddfd867f0f980d01aad29f405ce06d73c2ab7135904085b397be5bb618b67256625eb569bc5668e647333323fa092aa92259be2b670cfc3c7c6052c8c286c

Download Submit
memory/980-69-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/980-57-0x0000000000000000-mapping.dmp

Download
memory/980-71-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1480-64-0x0000000000000000-mapping.dmp

Download
memory/1480-70-0x0000000025000000-0x000000002501D000-memory.dmp

Filesize
116KB

Download
memory/1480-73-0x0000000025000000-0x000000002501D000-memory.dmp

Filesize
116KB

Download
memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1976-72-0x0000000000000000-mapping.dmp

Download