2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29

General

Target

file.exe
Size

299KB
MD5

d9145fe0ca078e3e8ed799105e393108
SHA1

3dab0d6ac85b82314add7e0773ad05635e5dbc1f
SHA256

2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
SHA512

8cccc42d5bf3fe345ff3dc119408de574ac3da756e9b0f2e76160b225b21dba7bfbbc61cd40bccaef3c104fb566f3bd53a4ca1c17f55867bcccfbe37fbdc1229
SSDEEP

6144:ibE/HUk01969hJRIA767oUL5J3RvZrLZcCEyBoh/uwmZZ+:ibw01969PR9xU/1EyBWmw6Z+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	duzcazams.exe

Loads dropped DLL 3 IoCs

pid	Process
1976	file.exe
1520	duzcazams.exe
1316	duzcazams.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 1316	1520	duzcazams.exe	29
PID 1316 set thread context of 1288	1316	duzcazams.exe	13
PID 1316 set thread context of 1288	1316	duzcazams.exe	13

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1316	duzcazams.exe
1316	duzcazams.exe
1316	duzcazams.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1316	duzcazams.exe
1316	duzcazams.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	duzcazams.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1520	1976	file.exe	27
PID 1976 wrote to memory of 1520	1976	file.exe	27
PID 1976 wrote to memory of 1520	1976	file.exe	27
PID 1976 wrote to memory of 1520	1976	file.exe	27
PID 1520 wrote to memory of 1316	1520	duzcazams.exe	29
PID 1520 wrote to memory of 1316	1520	duzcazams.exe	29
PID 1520 wrote to memory of 1316	1520	duzcazams.exe	29
PID 1520 wrote to memory of 1316	1520	duzcazams.exe	29
PID 1520 wrote to memory of 1316	1520	duzcazams.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\duzcazams.exe
    "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\duzcazams.exe
      "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eecmykwj.xuq

Filesize
185KB

MD5
eb786ca8456fb02e6299292f7464fa75

SHA1
4b6939380e970bcf1cc92b3ad3fa21916ea1ddab

SHA256
3e00383dd3ada755bb6cb3394d3b8b2d3e43dce6051600f4273f82d9963521c9

SHA512
9b1f6717f845975871fd45d5d6518a20b3ec223959acdbfd23fc2693f5f15d4a72f4f16a8220ac2bada3ffccba25068196b6c5afbc0d67ce3edbc9b3964e0979

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgiybpcm.x

Filesize
4KB

MD5
f16bf3d9ad3ecf461f26e9a75e9bdc8b

SHA1
d5342aa6db4efa8e58ca7a7e379a66797c78203b

SHA256
d6f00878293204cc85c2a112f4f8160aeaa7601afcf4a64f78735a8eea11559b

SHA512
5156bcfa507faf5788bb92648a48c1cb56901798d351cdf6deff7861bd80962b52715c5e034146da07066acf434f85e7b660643dcb9d51b082067fc3dd9bcdaa

Download Submit
\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
memory/1288-69-0x0000000006E80000-0x0000000007018000-memory.dmp

Filesize
1.6MB

Download
memory/1288-67-0x00000000064D0000-0x00000000065F4000-memory.dmp

Filesize
1.1MB

Download
memory/1316-65-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1316-66-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1316-68-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1976-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing