f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
Size

697KB
MD5

66465db7589d8b70c6b219fcdaf54410
SHA1

448c8fad294662a1c1e3e26f96c3eacebe8880d5
SHA256

f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e
SHA512

1fa2dff948c872ce66fb74f7cfd9c9db3edcbef70100300c7fb20c8ee2514314e71e324d0e363c6430be317f1b01611bf25e8c95fd98dc349bed925c1da5f26e
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
384	cihypo.exe
936	~DFA64.tmp
1752	uhwusa.exe

Deletes itself 1 IoCs

pid	Process
1916	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
384	cihypo.exe
936	~DFA64.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe
1752	uhwusa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	~DFA64.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 384	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	27
PID 1508 wrote to memory of 384	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	27
PID 1508 wrote to memory of 384	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	27
PID 1508 wrote to memory of 384	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	27
PID 384 wrote to memory of 936	384	cihypo.exe	28
PID 384 wrote to memory of 936	384	cihypo.exe	28
PID 384 wrote to memory of 936	384	cihypo.exe	28
PID 384 wrote to memory of 936	384	cihypo.exe	28
PID 1508 wrote to memory of 1916	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	30
PID 1508 wrote to memory of 1916	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	30
PID 1508 wrote to memory of 1916	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	30
PID 1508 wrote to memory of 1916	1508	f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe	30
PID 936 wrote to memory of 1752	936	~DFA64.tmp	31
PID 936 wrote to memory of 1752	936	~DFA64.tmp	31
PID 936 wrote to memory of 1752	936	~DFA64.tmp	31
PID 936 wrote to memory of 1752	936	~DFA64.tmp	31

C:\Users\Admin\AppData\Local\Temp\f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe
"C:\Users\Admin\AppData\Local\Temp\f18d7525b66aae5dc40469ef12123e67cb8240d2d61c5d19c0e04bf503c5266e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\cihypo.exe
  C:\Users\Admin\AppData\Local\Temp\cihypo.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\uhwusa.exe
      "C:\Users\Admin\AppData\Local\Temp\uhwusa.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
eae99c42a45dd55fa196474fe80e9b42

SHA1
1b9e0aec380cccb2be95c54039f3a2818dcf6e79

SHA256
5775203e9d11195bcc0300058c19aa002b70565ebc3709db2070beffb30f28f7

SHA512
9c101f06e911360a97d33658be82062743d7efc50d54c1718f4e97f1ba69453064d11ad96f57923ecf555547ba2ce22661aa5b9ab696cfb817f5597e92fab262

Download Submit
C:\Users\Admin\AppData\Local\Temp\cihypo.exe

Filesize
697KB

MD5
5b7beceede29f482fb83643fe7721c24

SHA1
a895f1d2e0f6932f39dd6897bbfef48747e70152

SHA256
5b9c66439281421171d0f707d0b8bf558bb0cb3971484f010a6f13feed5fda6a

SHA512
ac26a6576e33fc17ce8928a91bf73c6dd9fb81e8c71a32ecb66a7e0d83d492c775f8a84476e353497dba23368a8056cb26aa938590253188df11847c00e5db15

Download Submit
C:\Users\Admin\AppData\Local\Temp\cihypo.exe

Filesize
697KB

MD5
5b7beceede29f482fb83643fe7721c24

SHA1
a895f1d2e0f6932f39dd6897bbfef48747e70152

SHA256
5b9c66439281421171d0f707d0b8bf558bb0cb3971484f010a6f13feed5fda6a

SHA512
ac26a6576e33fc17ce8928a91bf73c6dd9fb81e8c71a32ecb66a7e0d83d492c775f8a84476e353497dba23368a8056cb26aa938590253188df11847c00e5db15

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
4f5687c8f9da0aeef488f85963390771

SHA1
a91db4cbac8903631a51b09b5df72526b6a22c17

SHA256
47e3d5f9c75546737c44fab2287534930cc967f45a75220062cce41cb7c86286

SHA512
fdd763637a5e716ddf8315a20bfca65d8c84e223c5a5ede68864b4304f339246e8e691c20d86c5d9aab83aad4342a07518a0aba49ed03ecbcc5304e4cf86b1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhwusa.exe

Filesize
405KB

MD5
fbe4ed5676b35770a7539d95d3f51c73

SHA1
7131edcb06957793e1995347e17ab535bbcb00e9

SHA256
ea368d636bb83972a5f90c24bce7e0cb006d5307f2aa425e25c45193839fc1d0

SHA512
1c52e962dbe428f0ad77449e53d2c54bdb17f9f84945c0b1f7c6327beb4370f243fedb8b0138beeb669ae6e3b4cb81f5d92b4f76081874687efe98a514e0877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA64.tmp

Filesize
697KB

MD5
72aa997d2d26c505fe30b669cbbf4165

SHA1
6ccd8ad8fd8c53e5890f9d0bcec83fa33e6fc156

SHA256
38bbcdf4b3f9a308c71d4f2482efda0f6c3716d48b10bcfdc796d24f5f02ef68

SHA512
ab52fa9fbed3c4b237829a587496616ac119db7b190edede0d079eceb9f20535e6b6e17336ebf1d52f8c3b50e495755a798b3bdd9d122fc54cdb7acae6db5a85

Download Submit
\Users\Admin\AppData\Local\Temp\cihypo.exe

Filesize
697KB

MD5
5b7beceede29f482fb83643fe7721c24

SHA1
a895f1d2e0f6932f39dd6897bbfef48747e70152

SHA256
5b9c66439281421171d0f707d0b8bf558bb0cb3971484f010a6f13feed5fda6a

SHA512
ac26a6576e33fc17ce8928a91bf73c6dd9fb81e8c71a32ecb66a7e0d83d492c775f8a84476e353497dba23368a8056cb26aa938590253188df11847c00e5db15

Download Submit
\Users\Admin\AppData\Local\Temp\uhwusa.exe

Filesize
405KB

MD5
fbe4ed5676b35770a7539d95d3f51c73

SHA1
7131edcb06957793e1995347e17ab535bbcb00e9

SHA256
ea368d636bb83972a5f90c24bce7e0cb006d5307f2aa425e25c45193839fc1d0

SHA512
1c52e962dbe428f0ad77449e53d2c54bdb17f9f84945c0b1f7c6327beb4370f243fedb8b0138beeb669ae6e3b4cb81f5d92b4f76081874687efe98a514e0877f

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA64.tmp

Filesize
697KB

MD5
72aa997d2d26c505fe30b669cbbf4165

SHA1
6ccd8ad8fd8c53e5890f9d0bcec83fa33e6fc156

SHA256
38bbcdf4b3f9a308c71d4f2482efda0f6c3716d48b10bcfdc796d24f5f02ef68

SHA512
ab52fa9fbed3c4b237829a587496616ac119db7b190edede0d079eceb9f20535e6b6e17336ebf1d52f8c3b50e495755a798b3bdd9d122fc54cdb7acae6db5a85

Download Submit
memory/384-70-0x0000000002C00000-0x0000000002CDE000-memory.dmp

Filesize
888KB

Download
memory/384-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/384-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/936-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/936-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/936-78-0x00000000036F0000-0x000000000382E000-memory.dmp

Filesize
1.2MB

Download
memory/1508-68-0x00000000006F0000-0x00000000007CE000-memory.dmp

Filesize
888KB

Download
memory/1508-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1508-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1752-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download