3b3f2716705df84738551d92feacc82c90afedff0bd823053e4e46848d2a3b7f

Analysis

max time kernel
143s
max time network
110s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

867KB
MD5

a451c909421cad8d940d100f2bfc4651
SHA1

97df30202fa0ae5a2366d0bef6ed415bdad3f2a2
SHA256

3b3f2716705df84738551d92feacc82c90afedff0bd823053e4e46848d2a3b7f
SHA512

5a2b8225eb7107fc77f6f6dd350b455de620ee7c4e3eecc65b1fe183bbf8a3d825510f18abca1d5c3a0c1f5d6f7ec8b2cff1e42f8944142c5a6cc70be47d1c0f
SSDEEP

12288:rrF5UskuwSU/FbrrOLyvs6DvFY7y2lmFjtTshX4WeQ0aFUA2UK7gW:rrjxwhGLKsUFUbWOiG5xK79

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

i23d35242786qkb2ep80w2.exe8X0UCQ73MG0Z07JW7056GPOG3.exe

pid process

1188 i23d35242786qkb2ep80w2.exe
324 8X0UCQ73MG0Z07JW7056GPOG3.exe
Loads dropped DLL 3 IoCs

Processes:

i23d35242786qkb2ep80w2.exe8X0UCQ73MG0Z07JW7056GPOG3.exe

pid process

1188 i23d35242786qkb2ep80w2.exe
1188 i23d35242786qkb2ep80w2.exe
324 8X0UCQ73MG0Z07JW7056GPOG3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

i23d35242786qkb2ep80w2.exe8X0UCQ73MG0Z07JW7056GPOG3.exe

pid process

1188 i23d35242786qkb2ep80w2.exe
1188 i23d35242786qkb2ep80w2.exe
324 8X0UCQ73MG0Z07JW7056GPOG3.exe
324 8X0UCQ73MG0Z07JW7056GPOG3.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

i23d35242786qkb2ep80w2.exe8X0UCQ73MG0Z07JW7056GPOG3.exe

description pid process

Token: SeDebugPrivilege 1188 i23d35242786qkb2ep80w2.exe
Token: SeDebugPrivilege 324 8X0UCQ73MG0Z07JW7056GPOG3.exe

description	pid	process
Token: SeDebugPrivilege	1188	i23d35242786qkb2ep80w2.exe
Token: SeDebugPrivilege	324	8X0UCQ73MG0Z07JW7056GPOG3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

i23d35242786qkb2ep80w2.exe8X0UCQ73MG0Z07JW7056GPOG3.exe

pid	process
1188	i23d35242786qkb2ep80w2.exe
1188	i23d35242786qkb2ep80w2.exe
1188	i23d35242786qkb2ep80w2.exe
1188	i23d35242786qkb2ep80w2.exe
324	8X0UCQ73MG0Z07JW7056GPOG3.exe
324	8X0UCQ73MG0Z07JW7056GPOG3.exe
324	8X0UCQ73MG0Z07JW7056GPOG3.exe
324	8X0UCQ73MG0Z07JW7056GPOG3.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1.exei23d35242786qkb2ep80w2.exe

description	pid	process	target process
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1416 wrote to memory of 1188	1416	1.exe	i23d35242786qkb2ep80w2.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe
PID 1188 wrote to memory of 324	1188	i23d35242786qkb2ep80w2.exe	8X0UCQ73MG0Z07JW7056GPOG3.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.exe
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\8X0UCQ73MG0Z07JW7056GPOG3.exe
433A5C55736572735C41646D696E5C417070446174615C526F616D696E675C64693562656863743731386131306963346B79723737396A7470757A5C693233643335323432373836716B62326570383077322E657865
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\078BFBFF000306D2

Filesize
116B

MD5
8e5fa015a50101fee54885bcd67a5609

SHA1
2beb699b15befd0aa4d144c295b7d99d183b1197

SHA256
797bc12013c264c3b2d3c24682d24453d079c92e6107a2720a77a6569ba2436f

SHA512
cb3e764b9fce88578bb8b07005dd43a84e562d2941115da7367845ccb1cb5a2fcdb991c887f5748d7798906410335a0c337aefc0a7765e32e4d7fa55b9eca195

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\8X0UCQ73MG0Z07JW7056GPOG3.data

Filesize
158B

MD5
a791cbda0cfb5b7f7245c029fd6dd016

SHA1
e8bdbfd44bddcdd9c5c3b7962c730a317b773a03

SHA256
e073944e92c08d51c618fe4ea1c899ddfaa99e01414edaca89468463bc50eb60

SHA512
2101ac673b5b27b103ebec03edc0ac9c1e1abba719c53ab2132a6ae7d5c992b6d8ed76ba476046b06f47e39d7317a0be0e566423e403ab97d33196a7fbd0aaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\8X0UCQ73MG0Z07JW7056GPOG3.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\8X0UCQ73MG0Z07JW7056GPOG3.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.data

Filesize
158B

MD5
a791cbda0cfb5b7f7245c029fd6dd016

SHA1
e8bdbfd44bddcdd9c5c3b7962c730a317b773a03

SHA256
e073944e92c08d51c618fe4ea1c899ddfaa99e01414edaca89468463bc50eb60

SHA512
2101ac673b5b27b103ebec03edc0ac9c1e1abba719c53ab2132a6ae7d5c992b6d8ed76ba476046b06f47e39d7317a0be0e566423e403ab97d33196a7fbd0aaf1

Download Submit
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.data

Filesize
246B

MD5
c348c90fdcdfe21a026c00cfc8f767b9

SHA1
8199378d6009b4129fe8ff9be44ac047fb4b3c77

SHA256
9afce31b544a3f525563873f6fb3ee9664774b6dc9d0116d7719b25e1d0e4920

SHA512
84db7b91f2cb169967a25b65d2aec3a634114996faee7adf0425b29d31e4136d7e1217390d750b849d26fb58b35e2e3c235dd334550c24811a644bd48da8a43b

Download Submit
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\i23d35242786qkb2ep80w2.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\8X0UCQ73MG0Z07JW7056GPOG3.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
\Users\Admin\AppData\Local\Temp\QQGRU2NEDAI6X3B1SRYZN4H7R\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
\Users\Admin\AppData\Roaming\di5behct718a10ic4kyr779jtpuz\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
memory/324-93-0x0000000003AD0000-0x0000000003BC4000-memory.dmp

Filesize
976KB

Download
memory/324-87-0x0000000002000000-0x00000000020EC000-memory.dmp

Filesize
944KB

Download
memory/324-96-0x0000000004460000-0x00000000045CB000-memory.dmp

Filesize
1.4MB

Download
memory/324-91-0x00000000035E0000-0x00000000038C3000-memory.dmp

Filesize
2.9MB

Download
memory/324-90-0x00000000035E0000-0x00000000038C3000-memory.dmp

Filesize
2.9MB

Download
memory/324-97-0x0000000003AD0000-0x0000000003BC4000-memory.dmp

Filesize
976KB

Download
memory/324-88-0x00000000035E0000-0x00000000038C3000-memory.dmp

Filesize
2.9MB

Download
memory/324-95-0x0000000000440000-0x00000000004A4000-memory.dmp

Filesize
400KB

Download
memory/324-100-0x0000000004460000-0x00000000045CB000-memory.dmp

Filesize
1.4MB

Download
memory/324-85-0x0000000002000000-0x00000000020EC000-memory.dmp

Filesize
944KB

Download
memory/324-99-0x0000000004240000-0x000000000432A000-memory.dmp

Filesize
936KB

Download
memory/324-78-0x0000000000000000-mapping.dmp

Download
memory/324-101-0x00000000025D0000-0x0000000002622000-memory.dmp

Filesize
328KB

Download
memory/324-98-0x0000000004110000-0x000000000422B000-memory.dmp

Filesize
1.1MB

Download
memory/1188-65-0x00000000034F0000-0x00000000037D3000-memory.dmp

Filesize
2.9MB

Download
memory/1188-70-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1188-84-0x0000000000C30000-0x0000000000C93000-memory.dmp

Filesize
396KB

Download
memory/1188-76-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1188-72-0x00000000040F0000-0x000000000420B000-memory.dmp

Filesize
1.1MB

Download
memory/1188-75-0x0000000001220000-0x0000000001272000-memory.dmp

Filesize
328KB

Download
memory/1188-73-0x0000000004210000-0x00000000042FA000-memory.dmp

Filesize
936KB

Download
memory/1188-74-0x0000000004420000-0x000000000458B000-memory.dmp

Filesize
1.4MB

Download
memory/1188-71-0x0000000003EC0000-0x0000000003FB4000-memory.dmp

Filesize
976KB

Download
memory/1188-83-0x00000000034F0000-0x00000000037D3000-memory.dmp

Filesize
2.9MB

Download
memory/1188-69-0x0000000004420000-0x000000000458B000-memory.dmp

Filesize
1.4MB

Download
memory/1188-68-0x0000000003EC0000-0x0000000003FB4000-memory.dmp

Filesize
976KB

Download
memory/1188-66-0x00000000034F0000-0x00000000037D3000-memory.dmp

Filesize
2.9MB

Download
memory/1188-55-0x0000000000000000-mapping.dmp

Download
memory/1188-64-0x0000000000720000-0x000000000080C000-memory.dmp

Filesize
944KB

Download
memory/1188-63-0x00000000034F0000-0x00000000037D3000-memory.dmp

Filesize
2.9MB

Download
memory/1188-61-0x0000000000720000-0x000000000080C000-memory.dmp

Filesize
944KB

Download
memory/1188-60-0x0000000000720000-0x000000000080C000-memory.dmp

Filesize
944KB

Download
memory/1188-57-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1416-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download