d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2

Analysis

max time kernel
152s
max time network
73s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
Size

640KB
MD5

47946e214bd828a73ddb6afc5c9e9940
SHA1

c8a5a877d2de530a683d87ace820b55c3f7f0042
SHA256

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2
SHA512

7f1f22238fda010f963a3ad371c125d2d5f72b8224a85dfe295ad1a61ab73696185e4bea9b5b8d04162eaa8e9f8a060780dc0cdeeac761f9b534d267f05b9c88
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

uqtemu.exe~DFA58.tmpkuxeho.exe

pid process

584 uqtemu.exe
1696 ~DFA58.tmp
1104 kuxeho.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1928 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exeuqtemu.exe~DFA58.tmp

pid process

2032 d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
584 uqtemu.exe
1696 ~DFA58.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
584	uqtemu.exe
1696	~DFA58.tmp
1104	kuxeho.exe

pid	process
1928	cmd.exe

pid	process
2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
584	uqtemu.exe
1696	~DFA58.tmp

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

kuxeho.exe

pid	process
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe
1104	kuxeho.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA58.tmp

description pid process

Token: SeDebugPrivilege 1696 ~DFA58.tmp

description	pid	process
Token: SeDebugPrivilege	1696	~DFA58.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exeuqtemu.exe~DFA58.tmp

description	pid	process	target process
PID 2032 wrote to memory of 584	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	uqtemu.exe
PID 2032 wrote to memory of 584	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	uqtemu.exe
PID 2032 wrote to memory of 584	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	uqtemu.exe
PID 2032 wrote to memory of 584	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	uqtemu.exe
PID 2032 wrote to memory of 1928	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe	cmd.exe
PID 584 wrote to memory of 1696	584	uqtemu.exe	~DFA58.tmp
PID 584 wrote to memory of 1696	584	uqtemu.exe	~DFA58.tmp
PID 584 wrote to memory of 1696	584	uqtemu.exe	~DFA58.tmp
PID 584 wrote to memory of 1696	584	uqtemu.exe	~DFA58.tmp
PID 1696 wrote to memory of 1104	1696	~DFA58.tmp	kuxeho.exe
PID 1696 wrote to memory of 1104	1696	~DFA58.tmp	kuxeho.exe
PID 1696 wrote to memory of 1104	1696	~DFA58.tmp	kuxeho.exe
PID 1696 wrote to memory of 1104	1696	~DFA58.tmp	kuxeho.exe

C:\Users\Admin\AppData\Local\Temp\d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe
"C:\Users\Admin\AppData\Local\Temp\d8e6c7ee68b71897d2175b778d25072b0ab08db7e050bee20eda9a5111098af2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\uqtemu.exe
C:\Users\Admin\AppData\Local\Temp\uqtemu.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\kuxeho.exe
"C:\Users\Admin\AppData\Local\Temp\kuxeho.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
2⤵
- Deletes itself
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
0ceb8ea893f511509ad9cd0d5133d0d3

SHA1
ad682cfa42b8b670a863cb51536da0c525cb1070

SHA256
3cb324c4ec7cb0da2743d8ea61f87646f5e9bd2f1bc023d1306472df1eb3aad6

SHA512
5acf349ef193457464bef1123a62c25d650a9ab5b42f1952401bec179c0cbb037f393c70f16575ebd82a01687c481fdb7f916aac62069c12952d47a8209c2537

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
fdfd8540aa0f154dc0950621d48ff022

SHA1
92b5349a2ef85d12cd13bb17a2d62460ab7ec470

SHA256
00820fa9ca8c72a1c211300d5340f340ffc3722bd0cabecc610752e02aefc61d

SHA512
52ca265a7dbd86be976395a9c2bdebe82e0204ab79eecb135fb30491071f96fe2e259c8014f83a25fe4d4e7676f22b514fea94f8916583c4f3b868ed8d40c6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuxeho.exe

Filesize
417KB

MD5
2c179b6904e2317fe0c7f9c628dbda3a

SHA1
dfc7748bf980a1a37ff39998b6faa678ac5d4471

SHA256
d9569902c1660c39f4cee183f40a57d2f19993d549c9cef3f8f316eff87268cc

SHA512
56b995cc495ce4c43585fb5120cdb928c967c8fc541406e5bd5e8d2b219b7884c2c675cc76c5b23152a32a9bec7860b8d830c9980dcd0ff088f31909031c5ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqtemu.exe

Filesize
648KB

MD5
0dbad30113e08418cb0e85c3fe2a08fb

SHA1
5d713cb556de11ad93828b7bec8e5ee8ba9a86df

SHA256
e73ed0bbd96a3f950bb8ca26593ae4b2d9f34316f67a21a899c4679408c168c7

SHA512
1b8e1335ccea80513d5ab1e594180ca0e4d043abad4d4a70d107dbedb25e1de6801c0769146de6d27dfe018d3915125ffeda3390156e1d4dcb8cdcb59eeaba7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqtemu.exe

Filesize
648KB

MD5
0dbad30113e08418cb0e85c3fe2a08fb

SHA1
5d713cb556de11ad93828b7bec8e5ee8ba9a86df

SHA256
e73ed0bbd96a3f950bb8ca26593ae4b2d9f34316f67a21a899c4679408c168c7

SHA512
1b8e1335ccea80513d5ab1e594180ca0e4d043abad4d4a70d107dbedb25e1de6801c0769146de6d27dfe018d3915125ffeda3390156e1d4dcb8cdcb59eeaba7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA58.tmp

Filesize
656KB

MD5
d7415941ecb58a40cf915c2a0984c513

SHA1
93d6d4b72c497c52249c116f43505099fc960e87

SHA256
0bbc5fad476453a68830972c83105be1ebe0d99d083f4caf86a88f47b13a3348

SHA512
27453cb9085eb2f3a89bcf347f8e8d06cdc922cd01b7ec1fe8f5c39ddfdee26a8b92d2f12fe4069a09e66cfa183cf38e83ffd7ed8fc64fc033f47f9d39150493

Download Submit
\Users\Admin\AppData\Local\Temp\kuxeho.exe

Filesize
417KB

MD5
2c179b6904e2317fe0c7f9c628dbda3a

SHA1
dfc7748bf980a1a37ff39998b6faa678ac5d4471

SHA256
d9569902c1660c39f4cee183f40a57d2f19993d549c9cef3f8f316eff87268cc

SHA512
56b995cc495ce4c43585fb5120cdb928c967c8fc541406e5bd5e8d2b219b7884c2c675cc76c5b23152a32a9bec7860b8d830c9980dcd0ff088f31909031c5ee9

Download Submit
\Users\Admin\AppData\Local\Temp\uqtemu.exe

Filesize
648KB

MD5
0dbad30113e08418cb0e85c3fe2a08fb

SHA1
5d713cb556de11ad93828b7bec8e5ee8ba9a86df

SHA256
e73ed0bbd96a3f950bb8ca26593ae4b2d9f34316f67a21a899c4679408c168c7

SHA512
1b8e1335ccea80513d5ab1e594180ca0e4d043abad4d4a70d107dbedb25e1de6801c0769146de6d27dfe018d3915125ffeda3390156e1d4dcb8cdcb59eeaba7e

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA58.tmp

Filesize
656KB

MD5
d7415941ecb58a40cf915c2a0984c513

SHA1
93d6d4b72c497c52249c116f43505099fc960e87

SHA256
0bbc5fad476453a68830972c83105be1ebe0d99d083f4caf86a88f47b13a3348

SHA512
27453cb9085eb2f3a89bcf347f8e8d06cdc922cd01b7ec1fe8f5c39ddfdee26a8b92d2f12fe4069a09e66cfa183cf38e83ffd7ed8fc64fc033f47f9d39150493

Download Submit
memory/584-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/584-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1104-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1104-75-0x0000000000000000-mapping.dmp

Download
memory/1696-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1696-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1696-77-0x00000000036A0000-0x00000000037DE000-memory.dmp

Filesize
1.2MB

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1928-61-0x0000000000000000-mapping.dmp

Download
memory/2032-70-0x0000000001F10000-0x0000000001FEE000-memory.dmp

Filesize
888KB

Download
memory/2032-54-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/2032-64-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2032-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download