a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed

Analysis

max time kernel
152s
max time network
82s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 05:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe
Size

613KB
MD5

3b82b316d22ec46e3fb7f49d4a15ad50
SHA1

a00c60dcf0b096682c7489add9a3fb5c01ed9cab
SHA256

a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed
SHA512

7562472de4f5fec1fb72cc4036e32b4cb297ad7210e80ad50c3939180e5d32256245c890b333e5ed619ac3b0fb99b4d570721c2b84e8c3c4bb4c48189c4fb288
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1964	uxynauv.exe
1396	~DFA66.tmp
560	misuzuv.exe

Deletes itself 1 IoCs

pid	Process
1448	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe
1964	uxynauv.exe
1396	~DFA66.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe
560	misuzuv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	~DFA66.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 1964	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	26
PID 604 wrote to memory of 1964	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	26
PID 604 wrote to memory of 1964	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	26
PID 604 wrote to memory of 1964	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	26
PID 1964 wrote to memory of 1396	1964	uxynauv.exe	27
PID 1964 wrote to memory of 1396	1964	uxynauv.exe	27
PID 1964 wrote to memory of 1396	1964	uxynauv.exe	27
PID 1964 wrote to memory of 1396	1964	uxynauv.exe	27
PID 604 wrote to memory of 1448	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	28
PID 604 wrote to memory of 1448	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	28
PID 604 wrote to memory of 1448	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	28
PID 604 wrote to memory of 1448	604	a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe	28
PID 1396 wrote to memory of 560	1396	~DFA66.tmp	30
PID 1396 wrote to memory of 560	1396	~DFA66.tmp	30
PID 1396 wrote to memory of 560	1396	~DFA66.tmp	30
PID 1396 wrote to memory of 560	1396	~DFA66.tmp	30

C:\Users\Admin\AppData\Local\Temp\a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe
"C:\Users\Admin\AppData\Local\Temp\a308f7caa78428ebcc7daa1c3c6d1b8c0c1ea364dc1e385683faf56d144244ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\uxynauv.exe
  C:\Users\Admin\AppData\Local\Temp\uxynauv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\misuzuv.exe
      "C:\Users\Admin\AppData\Local\Temp\misuzuv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
48716aa00cc6e044201bb296945448d8

SHA1
24a482064454066e2f3a3d603be3e13164fafd78

SHA256
57fc22cbed1760b31fc512893100d51b7cf6039bc449873c664bc7368d148cc3

SHA512
0b581103bd2ab89c88c52a94e53f37334cf07eb3caca75a90c39e820b4440efb27d947297eff775478e0a8fb3ee024225ce3de90db5864ef6d38a38f425f504c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
a8b92e2c5ed2cc40d25c1972d2e6bcaa

SHA1
ac832fdfbf0b1399778b8acaf8c77618dd089ae0

SHA256
d332f4521310316cb01d52d6695a077366be1af590b1dceb32424c25a117ed7b

SHA512
264c50628f900cd77a51bd969b818c6f77b83046af72687094de63463b704bcf9cd8c9311b720164071d4ccf415af92d03189f51db0e0199b0a6c9a36b714f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\misuzuv.exe

Filesize
413KB

MD5
0d4176584c5c3735020af54335db7dec

SHA1
049ecde939e91b1ccd8b8a9ef80dab1bd3c1698b

SHA256
461c17db38f7eb9756f61233f0260ddb453aaaf96cd1b451580424f62a1a5ace

SHA512
635dc3b57706e5316af11183722b06cc71dc923c834d33290f36bb3f344bfa7110107f84573b809f9dd9147ee6f84f5afd4706555d0381fc68ff40bfbb47e499

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxynauv.exe

Filesize
622KB

MD5
ea93b57332a796446785c1b1ad16483d

SHA1
016405ffa58f2f13705728005dd3f6c6cd1a856a

SHA256
f87b2b40d5f52968a92beae60915a66247f99d8066314f079f120bc7ef379781

SHA512
68d2e1313caa8c2f818140d192aadea508367d057f121836fcbd1635a28cae7478d766a770c7d925b613ac46b2aa1d719886b3ff3c3b976e9e9e5b6208311350

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxynauv.exe

Filesize
622KB

MD5
ea93b57332a796446785c1b1ad16483d

SHA1
016405ffa58f2f13705728005dd3f6c6cd1a856a

SHA256
f87b2b40d5f52968a92beae60915a66247f99d8066314f079f120bc7ef379781

SHA512
68d2e1313caa8c2f818140d192aadea508367d057f121836fcbd1635a28cae7478d766a770c7d925b613ac46b2aa1d719886b3ff3c3b976e9e9e5b6208311350

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA66.tmp

Filesize
624KB

MD5
6656743bcd3de71c26b60f49647659f1

SHA1
5118e47ad26c73489aed12a5a1e33e7818f46dcf

SHA256
a0291135f4581a375f0685f8fc7d33e99cdaf2c1522a0e4cfb63dbe52fb435c2

SHA512
1356a24037a08acfa5f4a4163df838dac715d3a4138b4cccd691a0ade2168526ede10d46e2387ccb6dd4e93cd1e31bbd189ce8e6f6bcde9d9c044f2cbcfe9a22

Download Submit
\Users\Admin\AppData\Local\Temp\misuzuv.exe

Filesize
413KB

MD5
0d4176584c5c3735020af54335db7dec

SHA1
049ecde939e91b1ccd8b8a9ef80dab1bd3c1698b

SHA256
461c17db38f7eb9756f61233f0260ddb453aaaf96cd1b451580424f62a1a5ace

SHA512
635dc3b57706e5316af11183722b06cc71dc923c834d33290f36bb3f344bfa7110107f84573b809f9dd9147ee6f84f5afd4706555d0381fc68ff40bfbb47e499

Download Submit
\Users\Admin\AppData\Local\Temp\uxynauv.exe

Filesize
622KB

MD5
ea93b57332a796446785c1b1ad16483d

SHA1
016405ffa58f2f13705728005dd3f6c6cd1a856a

SHA256
f87b2b40d5f52968a92beae60915a66247f99d8066314f079f120bc7ef379781

SHA512
68d2e1313caa8c2f818140d192aadea508367d057f121836fcbd1635a28cae7478d766a770c7d925b613ac46b2aa1d719886b3ff3c3b976e9e9e5b6208311350

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA66.tmp

Filesize
624KB

MD5
6656743bcd3de71c26b60f49647659f1

SHA1
5118e47ad26c73489aed12a5a1e33e7818f46dcf

SHA256
a0291135f4581a375f0685f8fc7d33e99cdaf2c1522a0e4cfb63dbe52fb435c2

SHA512
1356a24037a08acfa5f4a4163df838dac715d3a4138b4cccd691a0ade2168526ede10d46e2387ccb6dd4e93cd1e31bbd189ce8e6f6bcde9d9c044f2cbcfe9a22

Download Submit
memory/560-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/604-61-0x0000000001E00000-0x0000000001EDE000-memory.dmp

Filesize
888KB

Download
memory/604-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/604-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1396-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1396-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1396-77-0x00000000037D0000-0x000000000390E000-memory.dmp

Filesize
1.2MB

Download
memory/1964-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1964-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download