f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b

Analysis

max time kernel
151s
max time network
86s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe
Size

659KB
MD5

7a4b45520af8ee046f26ef982b7f9300
SHA1

80acf1fe8f5eedb4319d2bc2eb84649badbe1334
SHA256

f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b
SHA512

77c8a18a5a8ca27ce6bb5d66cce6254e5f1443699075aeaf5c5c8d97a96b8201aa7a018a2aeb98a9e6043fc250dbf06557d70f014d71f32643301faf00ccecda
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2036	uwhoza.exe
2032	~DFA5C.tmp
1496	mitiha.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe
2036	uwhoza.exe
2032	~DFA5C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe
1496	mitiha.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	~DFA5C.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2036	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	27
PID 1536 wrote to memory of 2036	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	27
PID 1536 wrote to memory of 2036	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	27
PID 1536 wrote to memory of 2036	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	27
PID 2036 wrote to memory of 2032	2036	uwhoza.exe	28
PID 2036 wrote to memory of 2032	2036	uwhoza.exe	28
PID 2036 wrote to memory of 2032	2036	uwhoza.exe	28
PID 2036 wrote to memory of 2032	2036	uwhoza.exe	28
PID 1536 wrote to memory of 1980	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	29
PID 1536 wrote to memory of 1980	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	29
PID 1536 wrote to memory of 1980	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	29
PID 1536 wrote to memory of 1980	1536	f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe	29
PID 2032 wrote to memory of 1496	2032	~DFA5C.tmp	31
PID 2032 wrote to memory of 1496	2032	~DFA5C.tmp	31
PID 2032 wrote to memory of 1496	2032	~DFA5C.tmp	31
PID 2032 wrote to memory of 1496	2032	~DFA5C.tmp	31

C:\Users\Admin\AppData\Local\Temp\f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe
"C:\Users\Admin\AppData\Local\Temp\f0f92cfcc4763448562d0afaf54e6a82fd14272613bafd5ed8137ed90fbf9f6b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\uwhoza.exe
  C:\Users\Admin\AppData\Local\Temp\uwhoza.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\mitiha.exe
      "C:\Users\Admin\AppData\Local\Temp\mitiha.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
06bac5328782415e3e259173be5b5471

SHA1
fc932ad9be9c8e973d4f28d42ccad17f8ea95949

SHA256
00e51b79945a3df9b8d5c6852b5ae48ce89b3a12b0a462d0ae32c801587f8b7a

SHA512
a9947b5d1ddc223d30d880f3fc62939d6916fd89fda9a757c65a8d2fc0cc317d4904927194f1c4087236d6d16384415d6383559e2070b885b4080e024e07e77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6313677cb067feb5a6663e8a4e9940f5

SHA1
595d11991625021a87480db7d1f0c872c19ff80a

SHA256
05494e77a8863a86c162ff06691d5d461772233a3829ad30db16faba198d7f93

SHA512
9a33ec7937524dc3a96523cba03a281f61a495cd6a1e3c54e8e89cf51fb94af141a4d0b73fba95d83680cbfcd6fba78d759e6c71a571e2f065b3a07fb875b0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mitiha.exe

Filesize
377KB

MD5
7a4b5280dfb55e0be8162b8046c739cf

SHA1
e3d928f59f5a22edad6bb63c30f25ad60ab85556

SHA256
8b8f119785583112735bf7251c4db74d74b860464d1372ca4b01c8ebb00f4d1c

SHA512
40cc6e4629c253da2aee1178d3dbee2310a5fa224370428f7b82d792a1a017e10da8c4f49cde64c20153bfc9df717d24bd75f5697f4b578a804384dfab9153fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwhoza.exe

Filesize
661KB

MD5
5ce130477aeceaa34cbb9bae8fd62589

SHA1
4fbf27f9e4478f3dfc6bd3628c5c8947350dd69b

SHA256
c5c8200972eb3c02d62473a0c4c00c9a15d6c1b1117a7c3c0f8f7a3b02ed2361

SHA512
8a5ead872b968fd50a89f0763637da827a164405b17a8a2255704f5ac263015c09068b2de3f61c0b792fce44ee9de7ce6b5e1cd4cf50b2eb051a6c7a9b05360d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwhoza.exe

Filesize
661KB

MD5
5ce130477aeceaa34cbb9bae8fd62589

SHA1
4fbf27f9e4478f3dfc6bd3628c5c8947350dd69b

SHA256
c5c8200972eb3c02d62473a0c4c00c9a15d6c1b1117a7c3c0f8f7a3b02ed2361

SHA512
8a5ead872b968fd50a89f0763637da827a164405b17a8a2255704f5ac263015c09068b2de3f61c0b792fce44ee9de7ce6b5e1cd4cf50b2eb051a6c7a9b05360d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
663KB

MD5
4709f1f334b29ef680d1ec101b30c859

SHA1
570102d503a8425cad9215c9bd5d958fb4836f31

SHA256
24168a47123b24e93a839897ccd0049ec22e66ddc564f6c44ed2a0ca366b80df

SHA512
d0fce60758963b7f1ed58bba0a6e6c58b827ad9db9065eba9ce75e9f699e5359e0895a28ac385844598fe83abacf3c88a89a371a789b2867450a27c92d9189a1

Download Submit
\Users\Admin\AppData\Local\Temp\mitiha.exe

Filesize
377KB

MD5
7a4b5280dfb55e0be8162b8046c739cf

SHA1
e3d928f59f5a22edad6bb63c30f25ad60ab85556

SHA256
8b8f119785583112735bf7251c4db74d74b860464d1372ca4b01c8ebb00f4d1c

SHA512
40cc6e4629c253da2aee1178d3dbee2310a5fa224370428f7b82d792a1a017e10da8c4f49cde64c20153bfc9df717d24bd75f5697f4b578a804384dfab9153fa

Download Submit
\Users\Admin\AppData\Local\Temp\uwhoza.exe

Filesize
661KB

MD5
5ce130477aeceaa34cbb9bae8fd62589

SHA1
4fbf27f9e4478f3dfc6bd3628c5c8947350dd69b

SHA256
c5c8200972eb3c02d62473a0c4c00c9a15d6c1b1117a7c3c0f8f7a3b02ed2361

SHA512
8a5ead872b968fd50a89f0763637da827a164405b17a8a2255704f5ac263015c09068b2de3f61c0b792fce44ee9de7ce6b5e1cd4cf50b2eb051a6c7a9b05360d

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA5C.tmp

Filesize
663KB

MD5
4709f1f334b29ef680d1ec101b30c859

SHA1
570102d503a8425cad9215c9bd5d958fb4836f31

SHA256
24168a47123b24e93a839897ccd0049ec22e66ddc564f6c44ed2a0ca366b80df

SHA512
d0fce60758963b7f1ed58bba0a6e6c58b827ad9db9065eba9ce75e9f699e5359e0895a28ac385844598fe83abacf3c88a89a371a789b2867450a27c92d9189a1

Download Submit
memory/1496-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1536-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1536-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1536-62-0x0000000001E20000-0x0000000001EFE000-memory.dmp

Filesize
888KB

Download
memory/1536-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-77-0x00000000035E0000-0x000000000371E000-memory.dmp

Filesize
1.2MB

Download
memory/2036-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2036-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download