85606ccdbf5c4ca37e5df4dbdf84b2325ed32a8c27e0ead179c9e4ab8e24aff9

General

Target

ValoCunt @Soud69.exe
Size

743KB
MD5

6c89d252bd7122c913eee198d611cdda
SHA1

72970926fcad69035a191cefdc6969fd870def25
SHA256

b976cd38f95018691191b5731c32194d716ba1e9c720672fbe8a38a56ee944fb
SHA512

4bf689a95d751634b000a9fde2919940f7df5e32acad1f6f6c43e96ff1e6424d592a32837610fd60ff125d8bb0b0b49fb5f3ab447e517c77609096b39c644095
SSDEEP

12288:6wCwgqEbxgA/mDBxKhWKsXXe0enh7r/7mwHIy2gu8Gvdb1GploVrtT0Ov3e9uJ4n:6wCwg7xgAONwhWKsXQdLiIKb1GnoVrNu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
876	UserOOBE.exe
112	winsrvhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1788	ValoCunt @Soud69.exe
1788	ValoCunt @Soud69.exe
1788	ValoCunt @Soud69.exe
1788	ValoCunt @Soud69.exe
2012	lib.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 876	1788	ValoCunt @Soud69.exe	28
PID 1788 wrote to memory of 876	1788	ValoCunt @Soud69.exe	28
PID 1788 wrote to memory of 876	1788	ValoCunt @Soud69.exe	28
PID 1788 wrote to memory of 876	1788	ValoCunt @Soud69.exe	28
PID 1788 wrote to memory of 940	1788	ValoCunt @Soud69.exe	29
PID 1788 wrote to memory of 940	1788	ValoCunt @Soud69.exe	29
PID 1788 wrote to memory of 940	1788	ValoCunt @Soud69.exe	29
PID 1788 wrote to memory of 940	1788	ValoCunt @Soud69.exe	29
PID 1788 wrote to memory of 112	1788	ValoCunt @Soud69.exe	30
PID 1788 wrote to memory of 112	1788	ValoCunt @Soud69.exe	30
PID 1788 wrote to memory of 112	1788	ValoCunt @Soud69.exe	30
PID 1788 wrote to memory of 112	1788	ValoCunt @Soud69.exe	30
PID 940 wrote to memory of 2012	940	lib.dll	31
PID 940 wrote to memory of 2012	940	lib.dll	31
PID 940 wrote to memory of 2012	940	lib.dll	31

C:\Users\Admin\AppData\Local\Temp\ValoCunt @Soud69.exe
"C:\Users\Admin\AppData\Local\Temp\ValoCunt @Soud69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\ProgramData\UserOOBE\UserOOBE.exe
  C:\ProgramData\\UserOOBE\\UserOOBE.exe ,.
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Users\Admin\AppData\Local\Temp\lib.dll
  lib.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\lib.dll
    lib.dll
    3⤵
    - Loads dropped DLL
    PID:2012
- C:\ProgramData\winsrvhost\winsrvhost.exe
  C:\ProgramData\\winsrvhost\\winsrvhost.exe
  2⤵
  - Executes dropped EXE
  PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
C:\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9402\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9402\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing