0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428

Analysis

max time kernel
151s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
Size

642KB
MD5

627345d0248e58651803ad8a242eb390
SHA1

4a8600cd8c3edd61822e4c0ccbcc543356f496f2
SHA256

0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428
SHA512

f26a255b58c87ed89cfb16ea60eca069b8e7a53dba68b347449646c148d2df3fb567fd12ab5e6ab6639d6fbd5e6faba2e53d601dfe7ac9edefa33e8a482e5905
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1004	dugekuy.exe
1772	~DFA4B.tmp
776	huocsyo.exe

Deletes itself 1 IoCs

pid	Process
2044	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
1004	dugekuy.exe
1772	~DFA4B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe
776	huocsyo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	~DFA4B.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1004	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	28
PID 1884 wrote to memory of 1004	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	28
PID 1884 wrote to memory of 1004	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	28
PID 1884 wrote to memory of 1004	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	28
PID 1884 wrote to memory of 2044	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	29
PID 1884 wrote to memory of 2044	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	29
PID 1884 wrote to memory of 2044	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	29
PID 1884 wrote to memory of 2044	1884	0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe	29
PID 1004 wrote to memory of 1772	1004	dugekuy.exe	31
PID 1004 wrote to memory of 1772	1004	dugekuy.exe	31
PID 1004 wrote to memory of 1772	1004	dugekuy.exe	31
PID 1004 wrote to memory of 1772	1004	dugekuy.exe	31
PID 1772 wrote to memory of 776	1772	~DFA4B.tmp	32
PID 1772 wrote to memory of 776	1772	~DFA4B.tmp	32
PID 1772 wrote to memory of 776	1772	~DFA4B.tmp	32
PID 1772 wrote to memory of 776	1772	~DFA4B.tmp	32

C:\Users\Admin\AppData\Local\Temp\0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe
"C:\Users\Admin\AppData\Local\Temp\0477311de7ee742bffdec5df1de31dc8f0d71ef9ce75877a1176034443005428.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\dugekuy.exe
  C:\Users\Admin\AppData\Local\Temp\dugekuy.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\~DFA4B.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4B.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\huocsyo.exe
      "C:\Users\Admin\AppData\Local\Temp\huocsyo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
44ad11dacbf2c796190ac63dc1f33329

SHA1
c1be7ada5fc583f04d6ff910e3e1fdfdb835d2b1

SHA256
1f3945403ca02cec2a5b90dee24b50167d1fd18bc61f245644e76f4def24a001

SHA512
ec42c28b0f5f75e892da7eae282091d46bd8c596223809f19637643338122226837e921352a10df5d140db2da9557863d78cac33a49d5608348224d71474a172

Download Submit
C:\Users\Admin\AppData\Local\Temp\dugekuy.exe

Filesize
647KB

MD5
6f8221625f88d719b0b0f80b153809b7

SHA1
75063ef0dca8c13ef6cdfa881d4db3cd3a54d3c7

SHA256
da3a97fd06b08783b303d27cec3b376ad24537bbdd9c5ca43668b27055b8845e

SHA512
b569348067dff55063157ae5d370a2cac27fab2bf4681a1f65f6bdb521c2311974717c602fd9b4cd67641ae1618b737b9a1db87f09c32717837c869b04cb4be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dugekuy.exe

Filesize
647KB

MD5
6f8221625f88d719b0b0f80b153809b7

SHA1
75063ef0dca8c13ef6cdfa881d4db3cd3a54d3c7

SHA256
da3a97fd06b08783b303d27cec3b376ad24537bbdd9c5ca43668b27055b8845e

SHA512
b569348067dff55063157ae5d370a2cac27fab2bf4681a1f65f6bdb521c2311974717c602fd9b4cd67641ae1618b737b9a1db87f09c32717837c869b04cb4be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
90555b2e2e61b63dd873b1292bb4c0ef

SHA1
114279da35c4cf43660e0f8b699666640b51d30c

SHA256
f466936aad44f25abd57b7ab89f394b0cfbcce50621ff9ffc2c5f95ca3ba2b1f

SHA512
e9b8f665ee3848414ebea03ae527f88c737be802cf1e1e87f1e75dc3111c2d74e2d3edcb07041bffdc917f80a251bd1da19d3c2a6a7732b3b6f916d5272dcbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\huocsyo.exe

Filesize
378KB

MD5
78ab7c67945ac5c3d670e165157e5be7

SHA1
f391665e67a67d0cb2a6043e076da3a7f4f10929

SHA256
7302bd7c82e609341ebe748a8cc16faf78bf6f8bd752303415151ef70273b7e4

SHA512
3ed45c33e15f9e8ca4f9c5d8a17de72a7c25bc0a3a41c082dc1aeaa644a8f2e76d1f0ea12f5d5e17404b1dd40497c17d8b8e4c66e2c6c4008107aa025fbda5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4B.tmp

Filesize
652KB

MD5
79e2a01577ec6d20457cb55e48cf3d7c

SHA1
85e35e325cbbcb916cc41be22418d9fea7c67c1c

SHA256
f28e9af626790ce3e48936336169a58f714144a41e9e6cb017863dc10fe8b0b0

SHA512
8254924d410598dc74d0040ab877d3f73e5a62384ca39cb476ab0d75663d435b2a75dee6f8c4ef341b9c81102d07e543deb615ee4c3ff927a924a740479265fc

Download Submit
\Users\Admin\AppData\Local\Temp\dugekuy.exe

Filesize
647KB

MD5
6f8221625f88d719b0b0f80b153809b7

SHA1
75063ef0dca8c13ef6cdfa881d4db3cd3a54d3c7

SHA256
da3a97fd06b08783b303d27cec3b376ad24537bbdd9c5ca43668b27055b8845e

SHA512
b569348067dff55063157ae5d370a2cac27fab2bf4681a1f65f6bdb521c2311974717c602fd9b4cd67641ae1618b737b9a1db87f09c32717837c869b04cb4be7

Download Submit
\Users\Admin\AppData\Local\Temp\huocsyo.exe

Filesize
378KB

MD5
78ab7c67945ac5c3d670e165157e5be7

SHA1
f391665e67a67d0cb2a6043e076da3a7f4f10929

SHA256
7302bd7c82e609341ebe748a8cc16faf78bf6f8bd752303415151ef70273b7e4

SHA512
3ed45c33e15f9e8ca4f9c5d8a17de72a7c25bc0a3a41c082dc1aeaa644a8f2e76d1f0ea12f5d5e17404b1dd40497c17d8b8e4c66e2c6c4008107aa025fbda5ba

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4B.tmp

Filesize
652KB

MD5
79e2a01577ec6d20457cb55e48cf3d7c

SHA1
85e35e325cbbcb916cc41be22418d9fea7c67c1c

SHA256
f28e9af626790ce3e48936336169a58f714144a41e9e6cb017863dc10fe8b0b0

SHA512
8254924d410598dc74d0040ab877d3f73e5a62384ca39cb476ab0d75663d435b2a75dee6f8c4ef341b9c81102d07e543deb615ee4c3ff927a924a740479265fc

Download Submit
memory/776-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1004-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1004-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1772-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1772-78-0x00000000035F0000-0x000000000372E000-memory.dmp

Filesize
1.2MB

Download
memory/1772-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1884-64-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1884-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1884-70-0x0000000001EB0000-0x0000000001F8E000-memory.dmp

Filesize
888KB

Download