6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7

Analysis

max time kernel
170s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
Size

644KB
MD5

21081c422b42907b32628ec887d39450
SHA1

715560155610087b25dcb4707a5b52256dbe5b74
SHA256

6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7
SHA512

1d058539d71ae33fc32f7fa164457632e6ce24099dd42007824669308b810c1e39fd7201686f516071c9101a8e186f363bd42e83d54a6ea2b3fdb7ce2a95e3f2
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1744	futuqij.exe
1700	~DFAA3.tmp
1444	ufrukyj.exe

Deletes itself 1 IoCs

pid	Process
1348	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
1744	futuqij.exe
1700	~DFAA3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe
1444	ufrukyj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	~DFAA3.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1744	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	28
PID 1892 wrote to memory of 1744	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	28
PID 1892 wrote to memory of 1744	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	28
PID 1892 wrote to memory of 1744	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	28
PID 1892 wrote to memory of 1348	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	31
PID 1892 wrote to memory of 1348	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	31
PID 1892 wrote to memory of 1348	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	31
PID 1892 wrote to memory of 1348	1892	6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe	31
PID 1744 wrote to memory of 1700	1744	futuqij.exe	30
PID 1744 wrote to memory of 1700	1744	futuqij.exe	30
PID 1744 wrote to memory of 1700	1744	futuqij.exe	30
PID 1744 wrote to memory of 1700	1744	futuqij.exe	30
PID 1700 wrote to memory of 1444	1700	~DFAA3.tmp	32
PID 1700 wrote to memory of 1444	1700	~DFAA3.tmp	32
PID 1700 wrote to memory of 1444	1700	~DFAA3.tmp	32
PID 1700 wrote to memory of 1444	1700	~DFAA3.tmp	32

C:\Users\Admin\AppData\Local\Temp\6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe
"C:\Users\Admin\AppData\Local\Temp\6ff142316a8382b7e2d947697607b74fbc1576f937178d96407b420ea15fa3f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\futuqij.exe
  C:\Users\Admin\AppData\Local\Temp\futuqij.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\~DFAA3.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFAA3.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\ufrukyj.exe
      "C:\Users\Admin\AppData\Local\Temp\ufrukyj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
cbdad522025a2672dd581691b6b8ccce

SHA1
8f0e0e89d3de484d4ca791ba05f04b51c8332eb4

SHA256
7e1c6d7d51fd16a9bdfe9683a081f2adf8b903efc1d2ea7d2d2adf0352c91018

SHA512
19a564262f78e16214936d5cf63ebb99f9d4b17273ff8b2e568f7454b20ccb52b97da3f96bf7dc11bb57d430e876f7aaa1cf65c6ea5620cba513b884225543ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\futuqij.exe

Filesize
648KB

MD5
1db8d26f733ba47281a4ddbc3c4a6407

SHA1
a9f887fad2890b8d7c6382f5de00e82e67da4336

SHA256
3a66ca886ce2c47b19001253009321b4a81c1e55fe372ea6c9bd06a1b90c4877

SHA512
887e60165d3f7d8bd4fdbedc1e33f26e68d0c7cfaee129421df7dcb6b19e756d5376f9b63b5820fee4461bc081d3b0c2461041ad838721c04539fa7b559f78f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\futuqij.exe

Filesize
648KB

MD5
1db8d26f733ba47281a4ddbc3c4a6407

SHA1
a9f887fad2890b8d7c6382f5de00e82e67da4336

SHA256
3a66ca886ce2c47b19001253009321b4a81c1e55fe372ea6c9bd06a1b90c4877

SHA512
887e60165d3f7d8bd4fdbedc1e33f26e68d0c7cfaee129421df7dcb6b19e756d5376f9b63b5820fee4461bc081d3b0c2461041ad838721c04539fa7b559f78f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
b6945871a0efd758b7ccddfe7ba84e2d

SHA1
6f45e776f536c99748e241e65dcb9a9649162460

SHA256
c9e81392a239f1308cd74d9c501499884a9e01a1e85a53cbdaede28a6935c515

SHA512
be12c46a7e7be888e2058faba39b40097f8944037aac08cf685f02eecc54b1a1014efa9165d102221058ed2da9355088567e86b01dec7feec12e4fb21a290639

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufrukyj.exe

Filesize
401KB

MD5
84680941a03a9a259509eeea4548b31f

SHA1
bdbd24c592f86633f182f6e0e080f81f3b86e6f1

SHA256
3900c25be6e518060d2022645a8e041f45762efb37a4b4d1d25415c0c32c8380

SHA512
4e488dc3b818b76f6b25f35681fa2c055c96540648636a9919cb0a4115823625db0b42e86f08a62bcf3b036c4d773c4e3978902660545a48ede4d4df59769bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFAA3.tmp

Filesize
651KB

MD5
5f5def6f007ffe866fd3929267f6d1d8

SHA1
2616c2bbda966d5beec138a2cfa6c1317fedddd2

SHA256
a3cbc900d71f90809cf9f58dfbac86986742e64ac0b55795a6967d43ab32ba06

SHA512
d04df911db3394065254dda43c7bfe79c4f36ede941925ec0eaeafbffd45764cf3064c131381627718fffeea3d2585ef5860eb20ced52a2317b4788d47c9eca2

Download Submit
\Users\Admin\AppData\Local\Temp\futuqij.exe

Filesize
648KB

MD5
1db8d26f733ba47281a4ddbc3c4a6407

SHA1
a9f887fad2890b8d7c6382f5de00e82e67da4336

SHA256
3a66ca886ce2c47b19001253009321b4a81c1e55fe372ea6c9bd06a1b90c4877

SHA512
887e60165d3f7d8bd4fdbedc1e33f26e68d0c7cfaee129421df7dcb6b19e756d5376f9b63b5820fee4461bc081d3b0c2461041ad838721c04539fa7b559f78f7

Download Submit
\Users\Admin\AppData\Local\Temp\ufrukyj.exe

Filesize
401KB

MD5
84680941a03a9a259509eeea4548b31f

SHA1
bdbd24c592f86633f182f6e0e080f81f3b86e6f1

SHA256
3900c25be6e518060d2022645a8e041f45762efb37a4b4d1d25415c0c32c8380

SHA512
4e488dc3b818b76f6b25f35681fa2c055c96540648636a9919cb0a4115823625db0b42e86f08a62bcf3b036c4d773c4e3978902660545a48ede4d4df59769bc5

Download Submit
\Users\Admin\AppData\Local\Temp\~DFAA3.tmp

Filesize
651KB

MD5
5f5def6f007ffe866fd3929267f6d1d8

SHA1
2616c2bbda966d5beec138a2cfa6c1317fedddd2

SHA256
a3cbc900d71f90809cf9f58dfbac86986742e64ac0b55795a6967d43ab32ba06

SHA512
d04df911db3394065254dda43c7bfe79c4f36ede941925ec0eaeafbffd45764cf3064c131381627718fffeea3d2585ef5860eb20ced52a2317b4788d47c9eca2

Download Submit
memory/1444-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1700-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1700-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1700-77-0x00000000037E0000-0x000000000391E000-memory.dmp

Filesize
1.2MB

Download
memory/1744-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1744-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1892-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1892-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1892-68-0x0000000001F10000-0x0000000001FEE000-memory.dmp

Filesize
888KB

Download
memory/1892-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download