1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-11-2022 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30dc6dd8fe2e44bf9b8c45115e6f83c.exe
Size

226KB
MD5

f30dc6dd8fe2e44bf9b8c45115e6f83c
SHA1

cf0033fda00be69b914807455b696b37c24ad9cf
SHA256

1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2
SHA512

7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72
SSDEEP

3072:qUJoFfWzzl+cSMgi/+Ddy9YOmX3ucUiO0avrbjIO127nn9ubNZnf1wAUYqqRKgsM:qweEp5l9rkuWzcEfn9ySIi+3MuOZW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

yuyojlpdd.exeyuyojlpdd.exe

pid process

1712 yuyojlpdd.exe
960 yuyojlpdd.exe
Loads dropped DLL 5 IoCs

Processes:

f30dc6dd8fe2e44bf9b8c45115e6f83c.exeyuyojlpdd.exeWerFault.exe

pid process

1836 f30dc6dd8fe2e44bf9b8c45115e6f83c.exe
1712 yuyojlpdd.exe
1404 WerFault.exe
1404 WerFault.exe
1404 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

yuyojlpdd.exe

description pid process target process

PID 1712 set thread context of 960 1712 yuyojlpdd.exe yuyojlpdd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1404 960 WerFault.exe yuyojlpdd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

yuyojlpdd.exe

pid process

1712 yuyojlpdd.exe
1712 yuyojlpdd.exe

pid	process
1712	yuyojlpdd.exe
960	yuyojlpdd.exe

pid	process
1836	f30dc6dd8fe2e44bf9b8c45115e6f83c.exe
1712	yuyojlpdd.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe

description	pid	process	target process
PID 1712 set thread context of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe

pid	pid_target	process	target process
1404	960	WerFault.exe	yuyojlpdd.exe

pid	process
1712	yuyojlpdd.exe
1712	yuyojlpdd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

f30dc6dd8fe2e44bf9b8c45115e6f83c.exeyuyojlpdd.exeyuyojlpdd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1712	1836	f30dc6dd8fe2e44bf9b8c45115e6f83c.exe	yuyojlpdd.exe
PID 1836 wrote to memory of 1712	1836	f30dc6dd8fe2e44bf9b8c45115e6f83c.exe	yuyojlpdd.exe
PID 1836 wrote to memory of 1712	1836	f30dc6dd8fe2e44bf9b8c45115e6f83c.exe	yuyojlpdd.exe
PID 1836 wrote to memory of 1712	1836	f30dc6dd8fe2e44bf9b8c45115e6f83c.exe	yuyojlpdd.exe
PID 1712 wrote to memory of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe
PID 1712 wrote to memory of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe
PID 1712 wrote to memory of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe
PID 1712 wrote to memory of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe
PID 1712 wrote to memory of 960	1712	yuyojlpdd.exe	yuyojlpdd.exe
PID 960 wrote to memory of 1404	960	yuyojlpdd.exe	WerFault.exe
PID 960 wrote to memory of 1404	960	yuyojlpdd.exe	WerFault.exe
PID 960 wrote to memory of 1404	960	yuyojlpdd.exe	WerFault.exe
PID 960 wrote to memory of 1404	960	yuyojlpdd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f30dc6dd8fe2e44bf9b8c45115e6f83c.exe
"C:\Users\Admin\AppData\Local\Temp\f30dc6dd8fe2e44bf9b8c45115e6f83c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1404

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uxihpr.zx
Filesize
5KB

MD5
d54e51cfe2eb61eecb8518184631a900

SHA1
a4c20513e75bf1785f4b5658328f7623635f6d53

SHA256
807d62f7c4ec7ff7804a8a88ce0d2f5be710e163d65e6c709ec9f6a675f73d10

SHA512
d0e8397bfaf380622d50aeeb85ae63c3f547a2237f4a5ce43b2f67f79464bbfe46c7f539f1ea42622e7f958aba42375d45d75838bb10403cb398ed61352597f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvvuxvn.cc
Filesize
185KB

MD5
91c02a03c98d9b9fcefdf2c006ad2e51

SHA1
00bc63213b18fe2a1e54560e93c74c83837bbdcb

SHA256
014d38ffaa628106fab91c0f5ca1682624b80891f681ddce51a12dd569ff4c89

SHA512
4fb0f6585fb93af610cdfd06eb06c7038fca1e75226fd440d43a7d948e5492621bf25a9bd69271f00029c27a44563bf4ee8f3bc12651407192497567cf120fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
memory/960-62-0x00000000000812B0-mapping.dmp

Download
memory/1404-64-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download