7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683

General

Target

7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
Size

823KB
MD5

937a1b4613a2109448103c318cb7ab10
SHA1

1ac5bc876ec8026d57ce67fde624fab848f7b8d1
SHA256

7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683
SHA512

28db39b653ab91429546198a838cf4dd361f85a71a435aa825d49fab74273886b5225388d92b884ac7b6ae50eaf467b644caf76ad753e5fe114187fb6b89e2ba
SSDEEP

24576:QZJ+3Rbxv7mctSdkeXofT/+brY2Qwz+Rq7ISoZ:Go5xv7mcseeXr0IsS+

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lofuj.exe

Executes dropped EXE 2 IoCs

pid	Process
972	lofuj.exe
1368	qujoh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lofuj.exe

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	lofuj.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe

Loads dropped DLL 2 IoCs

pid	Process
112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
972	lofuj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe
1368	qujoh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 972	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	27
PID 112 wrote to memory of 972	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	27
PID 112 wrote to memory of 972	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	27
PID 112 wrote to memory of 972	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	27
PID 112 wrote to memory of 1760	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	28
PID 112 wrote to memory of 1760	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	28
PID 112 wrote to memory of 1760	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	28
PID 112 wrote to memory of 1760	112	7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe	28
PID 972 wrote to memory of 1368	972	lofuj.exe	30
PID 972 wrote to memory of 1368	972	lofuj.exe	30
PID 972 wrote to memory of 1368	972	lofuj.exe	30
PID 972 wrote to memory of 1368	972	lofuj.exe	30

C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
"C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\lofuj.exe
  "C:\Users\Admin\AppData\Local\Temp\lofuj.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\qujoh.exe
    "C:\Users\Admin\AppData\Local\Temp\qujoh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
fbf7eff8943376401b4cb00e1ee483e2

SHA1
6185e4e93ed5fee5250131ad5b05cea909a7cd0a

SHA256
d724df52b33fc1270bd939cfbd8f2c593b0261ae0a57ce77577265eb1fd8cccd

SHA512
d706cc5a7d4bfd6c40b7c2486f15e7b3f5b675ecdbe62e4322e1c0ba413f6b372fcd430c98588551e50e2156bc5e3e29bc472507b78299dea504e6514fc606ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c47b47c214ce4417c48fd255c3941e39

SHA1
5a13d7639d161c427aeb38eadeb32bb6409a712d

SHA256
b1cc4f2ef9b34cadda50e0d0c4d5de06b8406f5228a7cc1b552a388a130c3f62

SHA512
23b2d0248f5f6cb0b94cc0b88261b9aecf58c1218980061ffdb9720a54dc5a56ff3b3a82b7a352500bca3333ba6bf75350eb3da6f671a524c8eab0ff33c6f132

Download Submit
C:\Users\Admin\AppData\Local\Temp\lofuj.exe

Filesize
823KB

MD5
3d57b3935de1eb112a2ccb8edcee37dc

SHA1
017eb4205edfd78d451119d6ecb36d6df922c43a

SHA256
b60081485360988fa56d91ad7b7d98660ff3d90f422a9ddead3a6eb2c097ab4d

SHA512
9eda01885e91a62fdd1026f7f722420a0f8825b95997e277bbac6d6dea90bc6715e04b49c6f570eaea5576d3ad2f9c2175d4ef2b3fd813776745fc97f6e66635

Download Submit
C:\Users\Admin\AppData\Local\Temp\lofuj.exe

Filesize
823KB

MD5
3d57b3935de1eb112a2ccb8edcee37dc

SHA1
017eb4205edfd78d451119d6ecb36d6df922c43a

SHA256
b60081485360988fa56d91ad7b7d98660ff3d90f422a9ddead3a6eb2c097ab4d

SHA512
9eda01885e91a62fdd1026f7f722420a0f8825b95997e277bbac6d6dea90bc6715e04b49c6f570eaea5576d3ad2f9c2175d4ef2b3fd813776745fc97f6e66635

Download Submit
C:\Users\Admin\AppData\Local\Temp\qujoh.exe

Filesize
205KB

MD5
564ec2e19aae8c09f1adede34c1ef597

SHA1
c6ebca9cbcd7f6189962905434f64c6907bcde6a

SHA256
03b95ef4f99a4ad00a9afb6d853c93851768cec0894faecca05941e67632299d

SHA512
08a8fc4eb45f734b2175dfa41393d594f4b05a80f7f78aa49364910125a2704c1c94e95c628d8d5144c755557d2af0cd6565c583da47bbe17e3b7660968ed877

Download Submit
\Users\Admin\AppData\Local\Temp\lofuj.exe

Filesize
823KB

MD5
3d57b3935de1eb112a2ccb8edcee37dc

SHA1
017eb4205edfd78d451119d6ecb36d6df922c43a

SHA256
b60081485360988fa56d91ad7b7d98660ff3d90f422a9ddead3a6eb2c097ab4d

SHA512
9eda01885e91a62fdd1026f7f722420a0f8825b95997e277bbac6d6dea90bc6715e04b49c6f570eaea5576d3ad2f9c2175d4ef2b3fd813776745fc97f6e66635

Download Submit
\Users\Admin\AppData\Local\Temp\qujoh.exe

Filesize
205KB

MD5
564ec2e19aae8c09f1adede34c1ef597

SHA1
c6ebca9cbcd7f6189962905434f64c6907bcde6a

SHA256
03b95ef4f99a4ad00a9afb6d853c93851768cec0894faecca05941e67632299d

SHA512
08a8fc4eb45f734b2175dfa41393d594f4b05a80f7f78aa49364910125a2704c1c94e95c628d8d5144c755557d2af0cd6565c583da47bbe17e3b7660968ed877

Download Submit
memory/112-56-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/112-61-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/112-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/112-55-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/972-63-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/972-65-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/972-67-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/972-72-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1368-73-0x00000000008C0000-0x000000000098C000-memory.dmp

Filesize
816KB

Download
memory/1368-75-0x00000000008C0000-0x000000000098C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads