5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769

General

Target

5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe
Size

485KB
MD5

d61a6a3de2722219bc628ea207632e8b
SHA1

363e5c3f2bd92720587b6791eec211d8a6b85caa
SHA256

5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769
SHA512

3ed549d0fdd91cf2caa46a4b4e43e23e4895417798964cb660adf44e491f65ef4cbd12caa13261f27f7377e24a8df12b21c4ea868efe62d565966f1ba209f8b8

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

livet.exehukyz.exe

pid process

2020 livet.exe
1888 hukyz.exe

pid	process
2020	livet.exe
1888	hukyz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hukyz.exe	upx
\Users\Admin\AppData\Local\Temp\hukyz.exe	upx
C:\Users\Admin\AppData\Local\Temp\hukyz.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1264 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exelivet.exe

pid process

1676 5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe
2020 livet.exe
2020 livet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1264	cmd.exe

pid	process
1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe
2020	livet.exe
2020	livet.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

hukyz.exe

pid	process
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe
1888	hukyz.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exelivet.exe

description	pid	process	target process
PID 1676 wrote to memory of 2020	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	livet.exe
PID 1676 wrote to memory of 2020	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	livet.exe
PID 1676 wrote to memory of 2020	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	livet.exe
PID 1676 wrote to memory of 2020	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	livet.exe
PID 1676 wrote to memory of 1264	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	cmd.exe
PID 1676 wrote to memory of 1264	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	cmd.exe
PID 1676 wrote to memory of 1264	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	cmd.exe
PID 1676 wrote to memory of 1264	1676	5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe	cmd.exe
PID 2020 wrote to memory of 1888	2020	livet.exe	hukyz.exe
PID 2020 wrote to memory of 1888	2020	livet.exe	hukyz.exe
PID 2020 wrote to memory of 1888	2020	livet.exe	hukyz.exe
PID 2020 wrote to memory of 1888	2020	livet.exe	hukyz.exe

C:\Users\Admin\AppData\Local\Temp\5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe
"C:\Users\Admin\AppData\Local\Temp\5734a3be98a74e01e439d2eb7afde0cc0beb6e5432cad3f495e30cfcd9a5b769.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\livet.exe
"C:\Users\Admin\AppData\Local\Temp\livet.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\hukyz.exe
"C:\Users\Admin\AppData\Local\Temp\hukyz.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
MD5
21a911c5531a8589e1afe7f43fd50773

SHA1
90207e7572ad9d818d2b56220f21e8d82dddb601

SHA256
36f86938035f99e489e2e2ef2582a2c1abd8b24afa9814b9ee5362d1edf96628

SHA512
008e985a6c1aba31b4e5d8ffbcc2d61d575a8194df9b18f446aed885e947f88b065544c0bcfebc96f8ef3a5be6dfc08a99ede3645c65079bc2d9c0b5c88e6dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
MD5
7a64c0f0962abd690015734bf5cc97e9

SHA1
226e84f40920d740f4ca9548dfeeea2787e9aa7d

SHA256
2c42017f8d7cdeeb3c4890b35e64192d54e2039af750ce72224d58c0ce763669

SHA512
e0031944c09d2dbd81534161ae8f792f5ed5d6835c0a6ce41c9deff5e4d6e875b8274633cf841c31e802552fdba4419d91852ad5bada0d135640437d1b2b7699

Download Submit
C:\Users\Admin\AppData\Local\Temp\hukyz.exe
MD5
6779329250a70957a7a0c66459f51ff6

SHA1
316508a07a061607b1e93aa54e9543d8bdb75ab4

SHA256
0c9f811b240f5c6fcfe98c12c3a1fa1c243402ed5f895bfe7d5d49dab750561f

SHA512
61c2f5fb07d14e3d51bf58bd5559818e408a3df7fe4a519438f40bd8b00d1300cb0384843a34d14d6b73d5ee9e66057ed179bce6ce0a40fd0378b5cfb7eaaa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\livet.exe
MD5
bda42f2a4d18f05770ef3f0aa72d40bc

SHA1
d1da7bef7ef078a7b63e27a44651cb6c8ec9b176

SHA256
aba3e5c983ccf2e40c5664217fe458553a19930ea67d41b3c650640a53729438

SHA512
bb58178eaf502dc029e0dc267c0f3ce8ac1e1bc938eed5d92cb2fb344c5ca25d4ce979d063ff96ce99662c709a18357a94606ebc5c24d0cbbe5b31ae6defebc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\livet.exe
MD5
bda42f2a4d18f05770ef3f0aa72d40bc

SHA1
d1da7bef7ef078a7b63e27a44651cb6c8ec9b176

SHA256
aba3e5c983ccf2e40c5664217fe458553a19930ea67d41b3c650640a53729438

SHA512
bb58178eaf502dc029e0dc267c0f3ce8ac1e1bc938eed5d92cb2fb344c5ca25d4ce979d063ff96ce99662c709a18357a94606ebc5c24d0cbbe5b31ae6defebc2

Download Submit
\Users\Admin\AppData\Local\Temp\hukyz.exe
MD5
6779329250a70957a7a0c66459f51ff6

SHA1
316508a07a061607b1e93aa54e9543d8bdb75ab4

SHA256
0c9f811b240f5c6fcfe98c12c3a1fa1c243402ed5f895bfe7d5d49dab750561f

SHA512
61c2f5fb07d14e3d51bf58bd5559818e408a3df7fe4a519438f40bd8b00d1300cb0384843a34d14d6b73d5ee9e66057ed179bce6ce0a40fd0378b5cfb7eaaa5a

Download Submit
\Users\Admin\AppData\Local\Temp\hukyz.exe
MD5
6779329250a70957a7a0c66459f51ff6

SHA1
316508a07a061607b1e93aa54e9543d8bdb75ab4

SHA256
0c9f811b240f5c6fcfe98c12c3a1fa1c243402ed5f895bfe7d5d49dab750561f

SHA512
61c2f5fb07d14e3d51bf58bd5559818e408a3df7fe4a519438f40bd8b00d1300cb0384843a34d14d6b73d5ee9e66057ed179bce6ce0a40fd0378b5cfb7eaaa5a

Download Submit
\Users\Admin\AppData\Local\Temp\livet.exe
MD5
bda42f2a4d18f05770ef3f0aa72d40bc

SHA1
d1da7bef7ef078a7b63e27a44651cb6c8ec9b176

SHA256
aba3e5c983ccf2e40c5664217fe458553a19930ea67d41b3c650640a53729438

SHA512
bb58178eaf502dc029e0dc267c0f3ce8ac1e1bc938eed5d92cb2fb344c5ca25d4ce979d063ff96ce99662c709a18357a94606ebc5c24d0cbbe5b31ae6defebc2

Download Submit
memory/1264-67-0x0000000000000000-mapping.dmp

Download
memory/1676-61-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1676-59-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1676-60-0x00000000003F0000-0x000000000042B000-memory.dmp

Filesize
236KB

Download
memory/1888-74-0x0000000000000000-mapping.dmp

Download
memory/2020-66-0x00000000013B0000-0x00000000013EB000-memory.dmp

Filesize
236KB

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads