293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35

Analysis

max time kernel
150s
max time network
70s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Size

629KB
MD5

5a30808ccc39d0b175aa926a68aa5150
SHA1

7ea82e73a32bbb478c235fe3a637daf941883a6c
SHA256

293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35
SHA512

0d51c2cadbf386a49f1cc6d66d49cd7056b51b741fcd553589119b7c75629323123d389ab7e2f469185fd1a3700119d8d94fe526eafaaad0ac60c670944a255c
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1964	xykutua.exe
1572	~DFA4D.tmp
692	kuwija.exe

Deletes itself 1 IoCs

pid	Process
1668	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
1964	xykutua.exe
1572	~DFA4D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe
692	kuwija.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	~DFA4D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1964	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	28
PID 1644 wrote to memory of 1964	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	28
PID 1644 wrote to memory of 1964	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	28
PID 1644 wrote to memory of 1964	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	28
PID 1644 wrote to memory of 1668	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	29
PID 1644 wrote to memory of 1668	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	29
PID 1644 wrote to memory of 1668	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	29
PID 1644 wrote to memory of 1668	1644	293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe	29
PID 1964 wrote to memory of 1572	1964	xykutua.exe	31
PID 1964 wrote to memory of 1572	1964	xykutua.exe	31
PID 1964 wrote to memory of 1572	1964	xykutua.exe	31
PID 1964 wrote to memory of 1572	1964	xykutua.exe	31
PID 1572 wrote to memory of 692	1572	~DFA4D.tmp	32
PID 1572 wrote to memory of 692	1572	~DFA4D.tmp	32
PID 1572 wrote to memory of 692	1572	~DFA4D.tmp	32
PID 1572 wrote to memory of 692	1572	~DFA4D.tmp	32

C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
"C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\xykutua.exe
  C:\Users\Admin\AppData\Local\Temp\xykutua.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\kuwija.exe
      "C:\Users\Admin\AppData\Local\Temp\kuwija.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
cb0415465b0696c0ea73c957e6388001

SHA1
50e15d3a56d1ed904c4cc003395ebf2b038b639f

SHA256
c0f5535107b1519a52e18ded33678c7fffa16e421c34385c794cb437afd3b530

SHA512
8b9db40d8eaaffbb90f1ca2e02e275041c43267268f095b30d0f9d0f5233ecf83a85a96ad4246dfcc68514f35e682e4810e3e80d0aa5e48e8d7e16a12e175582

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
f69649cabd085e90cab56a82b51f259f

SHA1
7aaffc62e441c3b5ca3a09679a05c9abe76c6121

SHA256
51443f89a2bfe42372b66fd8c5d1428989f1a9e1812d3008cfe9d533be86e871

SHA512
d870f570b6cfdb6dab054b92247d868e64ebd67006eb9be13c6b8fea8ade2bb228c8fe84dd50070879e41ede64168c20c7623f0d90d19e9f2601057eec964de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuwija.exe

Filesize
413KB

MD5
5409da4672e740bdef15d096093b7d14

SHA1
472c9af11c94b63c248c352c67883f0b98c34615

SHA256
89a567f05e6145de010501f26b4319fdcb743ee73fb6c76a25d6e9c5f09c43ab

SHA512
e6c19ad2486574a5d6ce4784a7172625f1af643123f0d553e5ac7bf75b39b4f2d498f3d3868e342477547c7d4835a604ee656bacc4fca4d26f82c7955f7fea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xykutua.exe

Filesize
636KB

MD5
99c1e90c65f38591d606f0756c08e3ec

SHA1
bf8b0d0eaa063a403e688ac443caaa1373a31fd9

SHA256
e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0

SHA512
28b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\xykutua.exe

Filesize
636KB

MD5
99c1e90c65f38591d606f0756c08e3ec

SHA1
bf8b0d0eaa063a403e688ac443caaa1373a31fd9

SHA256
e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0

SHA512
28b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
644KB

MD5
0c08e97ca675d55b19bed409a7e56da7

SHA1
7287fa1c5a5319a3ccfd4401aaeca39c8c5c9947

SHA256
6fc89e8c16748b993f5605afd618a8dea96f116f62b4d407016c8397d5bc04e0

SHA512
e40dc28719fe1326d6994a4e723a66074e7e3a2f17ad978c85c21a0b1dbb1d8aa1165440727f7a76f47c4449eb22038bc1f3ec5f2014e1954fa5f5b724f6e66f

Download Submit
\Users\Admin\AppData\Local\Temp\kuwija.exe

Filesize
413KB

MD5
5409da4672e740bdef15d096093b7d14

SHA1
472c9af11c94b63c248c352c67883f0b98c34615

SHA256
89a567f05e6145de010501f26b4319fdcb743ee73fb6c76a25d6e9c5f09c43ab

SHA512
e6c19ad2486574a5d6ce4784a7172625f1af643123f0d553e5ac7bf75b39b4f2d498f3d3868e342477547c7d4835a604ee656bacc4fca4d26f82c7955f7fea8b

Download Submit
\Users\Admin\AppData\Local\Temp\xykutua.exe

Filesize
636KB

MD5
99c1e90c65f38591d606f0756c08e3ec

SHA1
bf8b0d0eaa063a403e688ac443caaa1373a31fd9

SHA256
e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0

SHA512
28b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4D.tmp

Filesize
644KB

MD5
0c08e97ca675d55b19bed409a7e56da7

SHA1
7287fa1c5a5319a3ccfd4401aaeca39c8c5c9947

SHA256
6fc89e8c16748b993f5605afd618a8dea96f116f62b4d407016c8397d5bc04e0

SHA512
e40dc28719fe1326d6994a4e723a66074e7e3a2f17ad978c85c21a0b1dbb1d8aa1165440727f7a76f47c4449eb22038bc1f3ec5f2014e1954fa5f5b724f6e66f

Download Submit
memory/692-79-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1572-78-0x0000000003890000-0x00000000039CE000-memory.dmp

Filesize
1.2MB

Download
memory/1572-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1572-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1644-68-0x0000000001EB0000-0x0000000001F8E000-memory.dmp

Filesize
888KB

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1644-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1964-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1964-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download