89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222

Analysis

max time kernel
151s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe
Size

660KB
MD5

82e8853db083da0b6eead7a7b79304d0
SHA1

121003898e223e68da72023fd3b5a3347b327c41
SHA256

89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222
SHA512

d33e0ed016cff1de99d863166b2e22da2e88636dc7820bb59f5ec60ad5c85d8e8fda58efe31571efd6af8e81d9f9e74cfdc32fa746226c1027302f76a1860cf8
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1736	huhuyon.exe
1204	~DFA4E.tmp
1536	kuqevon.exe

Deletes itself 1 IoCs

pid	Process
1320	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe
1736	huhuyon.exe
1204	~DFA4E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe
1536	kuqevon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	~DFA4E.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1736	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	28
PID 1812 wrote to memory of 1736	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	28
PID 1812 wrote to memory of 1736	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	28
PID 1812 wrote to memory of 1736	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	28
PID 1812 wrote to memory of 1320	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	30
PID 1812 wrote to memory of 1320	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	30
PID 1812 wrote to memory of 1320	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	30
PID 1812 wrote to memory of 1320	1812	89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe	30
PID 1736 wrote to memory of 1204	1736	huhuyon.exe	29
PID 1736 wrote to memory of 1204	1736	huhuyon.exe	29
PID 1736 wrote to memory of 1204	1736	huhuyon.exe	29
PID 1736 wrote to memory of 1204	1736	huhuyon.exe	29
PID 1204 wrote to memory of 1536	1204	~DFA4E.tmp	32
PID 1204 wrote to memory of 1536	1204	~DFA4E.tmp	32
PID 1204 wrote to memory of 1536	1204	~DFA4E.tmp	32
PID 1204 wrote to memory of 1536	1204	~DFA4E.tmp	32

C:\Users\Admin\AppData\Local\Temp\89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe
"C:\Users\Admin\AppData\Local\Temp\89b312d23ac3a08874718529e7fb0f32c523922cdc9614695c9c2cf114912222.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\huhuyon.exe
  C:\Users\Admin\AppData\Local\Temp\huhuyon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\~DFA4E.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA4E.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\kuqevon.exe
      "C:\Users\Admin\AppData\Local\Temp\kuqevon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
2ef138429baa9a94867f3034a96e35da

SHA1
1a62d7bc5cbbb152f03e7c78fb3a8a48af571da0

SHA256
14a847644ece38b4af7145f1f788be0c9e70bbe9f7c5318717bcc5441e18e8e5

SHA512
5b028e64bc3bd4a2369e0e9e4703f5b4a2cd3191060a0be867ce92d270fd08626370d528ddd308d2baacd50edf5f6bc980fe1275a3c0118c08f71b6b00269b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a85b9976acea775e77da3cb8f1a36e90

SHA1
71f0b08a2384562a0f42c3c9525c64a740f3371e

SHA256
5de8d8c3f57c2ce858c5a1ef31a5b07d54e72894ae831e6dac4c3af7c2daeb09

SHA512
8b588fbb5e1b2f915db036fcd01fe13ba6a1430f929d074cf4cc5307248217c8f6793f6ae53093eda8d4a708d6c937830dab72bc8519cbc39393dae6992fb3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\huhuyon.exe

Filesize
667KB

MD5
68d84697c84561ebfdf02a5907023040

SHA1
afa7df53fcd73e9d4ca3f6b175816da4b2b08d95

SHA256
0b28b57eb6ecd9620b2c0eaa4a377abb6143739f5c291a2b5184b5f88b49868e

SHA512
69b9590dc1e17be13ea51803583ece403b3a3de3366e320735db90b3cf30a1a06677fb260aabd98401c768019524ec8e7e7f8f4909284a6460e9048d9ffef009

Download Submit
C:\Users\Admin\AppData\Local\Temp\huhuyon.exe

Filesize
667KB

MD5
68d84697c84561ebfdf02a5907023040

SHA1
afa7df53fcd73e9d4ca3f6b175816da4b2b08d95

SHA256
0b28b57eb6ecd9620b2c0eaa4a377abb6143739f5c291a2b5184b5f88b49868e

SHA512
69b9590dc1e17be13ea51803583ece403b3a3de3366e320735db90b3cf30a1a06677fb260aabd98401c768019524ec8e7e7f8f4909284a6460e9048d9ffef009

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuqevon.exe

Filesize
407KB

MD5
88b6f566994e768c18e3b3ceb94e1a42

SHA1
c49d769e590981b2fd61f889a31a043387cb0e66

SHA256
135f11cec34ebe7f7ef132d0c8249776d1dca129e9a9ac4eb3ba377490caf85d

SHA512
83e3d4910a43f93e8fad8e559663ec033065a6e020d98791a121f8208b89bd2c246cee85d16ae716f8d80456d01b69ae95dfb9a25d08c5a1939094c9a26af2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA4E.tmp

Filesize
675KB

MD5
dd21f0ef13799147d64e3f41434c8161

SHA1
3f14b1ed4332ccb11382c2d7de52e9416dab1df4

SHA256
5fc2311d563a5db88dcc699f774208980b1d0b03ea867b9dad950b66973c2b71

SHA512
014d845301e19306b79ff07939a56e889512d7f6ae0653cdd71548df24a799de48fa797bc3c9d2d6364026f19f959e7367d997029f21643d63c38d19291b844e

Download Submit
\Users\Admin\AppData\Local\Temp\huhuyon.exe

Filesize
667KB

MD5
68d84697c84561ebfdf02a5907023040

SHA1
afa7df53fcd73e9d4ca3f6b175816da4b2b08d95

SHA256
0b28b57eb6ecd9620b2c0eaa4a377abb6143739f5c291a2b5184b5f88b49868e

SHA512
69b9590dc1e17be13ea51803583ece403b3a3de3366e320735db90b3cf30a1a06677fb260aabd98401c768019524ec8e7e7f8f4909284a6460e9048d9ffef009

Download Submit
\Users\Admin\AppData\Local\Temp\kuqevon.exe

Filesize
407KB

MD5
88b6f566994e768c18e3b3ceb94e1a42

SHA1
c49d769e590981b2fd61f889a31a043387cb0e66

SHA256
135f11cec34ebe7f7ef132d0c8249776d1dca129e9a9ac4eb3ba377490caf85d

SHA512
83e3d4910a43f93e8fad8e559663ec033065a6e020d98791a121f8208b89bd2c246cee85d16ae716f8d80456d01b69ae95dfb9a25d08c5a1939094c9a26af2fc

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA4E.tmp

Filesize
675KB

MD5
dd21f0ef13799147d64e3f41434c8161

SHA1
3f14b1ed4332ccb11382c2d7de52e9416dab1df4

SHA256
5fc2311d563a5db88dcc699f774208980b1d0b03ea867b9dad950b66973c2b71

SHA512
014d845301e19306b79ff07939a56e889512d7f6ae0653cdd71548df24a799de48fa797bc3c9d2d6364026f19f959e7367d997029f21643d63c38d19291b844e

Download Submit
memory/1204-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1204-79-0x0000000003600000-0x000000000373E000-memory.dmp

Filesize
1.2MB

Download
memory/1204-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1536-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-70-0x0000000002BF0000-0x0000000002CCE000-memory.dmp

Filesize
888KB

Download
memory/1736-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1736-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1812-68-0x0000000001E40000-0x0000000001F1E000-memory.dmp

Filesize
888KB

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1812-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download