19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720

Analysis

max time kernel
151s
max time network
70s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
Size

697KB
MD5

7c322be974e8deb64b30fc7bc7c92cb8
SHA1

66d61d7b978fecfd28808b2c0632a0a3ad365600
SHA256

19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720
SHA512

b5859ae72285bc7d8c55026d5f340b713dc40e74d3754a7a16ae6863f49aa524d728c1551fcc1e8cf39a463b83b8f2f22466eacd52d69138c21109eecdaba868
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
956	curocuv.exe
1624	~DFA5E.tmp
452	vohuyzz.exe

Deletes itself 1 IoCs

pid	Process
1456	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
956	curocuv.exe
1624	~DFA5E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe
452	vohuyzz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	~DFA5E.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 956	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	27
PID 836 wrote to memory of 956	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	27
PID 836 wrote to memory of 956	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	27
PID 836 wrote to memory of 956	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	27
PID 956 wrote to memory of 1624	956	curocuv.exe	28
PID 956 wrote to memory of 1624	956	curocuv.exe	28
PID 956 wrote to memory of 1624	956	curocuv.exe	28
PID 956 wrote to memory of 1624	956	curocuv.exe	28
PID 836 wrote to memory of 1456	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	29
PID 836 wrote to memory of 1456	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	29
PID 836 wrote to memory of 1456	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	29
PID 836 wrote to memory of 1456	836	19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe	29
PID 1624 wrote to memory of 452	1624	~DFA5E.tmp	31
PID 1624 wrote to memory of 452	1624	~DFA5E.tmp	31
PID 1624 wrote to memory of 452	1624	~DFA5E.tmp	31
PID 1624 wrote to memory of 452	1624	~DFA5E.tmp	31

C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
"C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\curocuv.exe
  C:\Users\Admin\AppData\Local\Temp\curocuv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\vohuyzz.exe
      "C:\Users\Admin\AppData\Local\Temp\vohuyzz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
40d89701cd9b30db06bc65ae857adc81

SHA1
e29e4a7d27d039b1c637ccc1cc7755fe6c9983d5

SHA256
19d5c0bbf595e06e01b0fbf6f80d4bbd41fa969623bd1396b8ce6eb1c534ea82

SHA512
c23e7049743094fc300fccbb9abc3ffbb8ae593fd817e38fe77f27696dd055582e8d2e503617994bee1cf394fdc05b302fa86dab89bbfe223afc71256e6d8787

Download Submit
C:\Users\Admin\AppData\Local\Temp\curocuv.exe

Filesize
701KB

MD5
bb1a65c66f71acefeb791ecbdad34ec7

SHA1
e120a237ba7dfd4d13f74508c0c44d5bdc08925a

SHA256
63feb92d73db7e4e7229004ac29df0af91fdc4584fe70d9d8af8a54f1c488b68

SHA512
4125c0d58313dd42d0912fef3441527c1a7dad7573a285ee3d3427a600c68ab23d492db173168c55c46378633f4033be6272b654de393f40e77b2f524dcf9319

Download Submit
C:\Users\Admin\AppData\Local\Temp\curocuv.exe

Filesize
701KB

MD5
bb1a65c66f71acefeb791ecbdad34ec7

SHA1
e120a237ba7dfd4d13f74508c0c44d5bdc08925a

SHA256
63feb92d73db7e4e7229004ac29df0af91fdc4584fe70d9d8af8a54f1c488b68

SHA512
4125c0d58313dd42d0912fef3441527c1a7dad7573a285ee3d3427a600c68ab23d492db173168c55c46378633f4033be6272b654de393f40e77b2f524dcf9319

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
071d91566fb6bddf609f86a29b0de557

SHA1
b12dbfbad50d236395d558ddca362816d3da9758

SHA256
2da6d9a27b21ea312788188eb70b5993e11dd33f81043020e8f76a80e9b9d554

SHA512
aa9dda8a494f2594a9508dbf1297be214ce96a2c06902cbd64c613a2e9a9ec7645ab9d13665a1fbeea48b917dd38c4bfe20dce90bb9da4bfce0ea1e34f5325bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vohuyzz.exe

Filesize
376KB

MD5
916d1188962ac7ab02f98dffe7d6b974

SHA1
1f50e1bdcaf8cfac21f5d22446ab652bfc74e8f3

SHA256
1d05cdd86bc1f95a978484ebede8aecb8e151fe6a1e9c8b313f586f45e8aef8c

SHA512
21f2fe69fa8fbf0998953485b46defdf4ce2a736be0c58c5b251216d3555cd252df11ef79eb68350dfafe9e3dadf67d7637c1cb5522046320531f1be77849f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5E.tmp

Filesize
705KB

MD5
81973ddbaa1f661acc6b2932d557261a

SHA1
855c90da8e4fcd6c37d60f89b5f80ca4d7daed75

SHA256
0475d4567dab94bc83a0c4b8e0a68e58a7a9649c8a45f8237acbc64d15c05cae

SHA512
d65b8d3b56d332a34a39b204e3ea83fdb2777a050726ae7fb8302ffd3b18f6f9f254d1ddc2c4397cfad78a9df6a6779eb2272251026581ad1988c603eb9c24e0

Download Submit
\Users\Admin\AppData\Local\Temp\curocuv.exe

Filesize
701KB

MD5
bb1a65c66f71acefeb791ecbdad34ec7

SHA1
e120a237ba7dfd4d13f74508c0c44d5bdc08925a

SHA256
63feb92d73db7e4e7229004ac29df0af91fdc4584fe70d9d8af8a54f1c488b68

SHA512
4125c0d58313dd42d0912fef3441527c1a7dad7573a285ee3d3427a600c68ab23d492db173168c55c46378633f4033be6272b654de393f40e77b2f524dcf9319

Download Submit
\Users\Admin\AppData\Local\Temp\vohuyzz.exe

Filesize
376KB

MD5
916d1188962ac7ab02f98dffe7d6b974

SHA1
1f50e1bdcaf8cfac21f5d22446ab652bfc74e8f3

SHA256
1d05cdd86bc1f95a978484ebede8aecb8e151fe6a1e9c8b313f586f45e8aef8c

SHA512
21f2fe69fa8fbf0998953485b46defdf4ce2a736be0c58c5b251216d3555cd252df11ef79eb68350dfafe9e3dadf67d7637c1cb5522046320531f1be77849f36

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5E.tmp

Filesize
705KB

MD5
81973ddbaa1f661acc6b2932d557261a

SHA1
855c90da8e4fcd6c37d60f89b5f80ca4d7daed75

SHA256
0475d4567dab94bc83a0c4b8e0a68e58a7a9649c8a45f8237acbc64d15c05cae

SHA512
d65b8d3b56d332a34a39b204e3ea83fdb2777a050726ae7fb8302ffd3b18f6f9f254d1ddc2c4397cfad78a9df6a6779eb2272251026581ad1988c603eb9c24e0

Download Submit
memory/452-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/836-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/836-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/836-66-0x0000000001F70000-0x000000000204E000-memory.dmp

Filesize
888KB

Download
memory/956-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/956-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1624-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1624-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1624-78-0x00000000036B0000-0x00000000037EE000-memory.dmp

Filesize
1.2MB

Download