8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b

Analysis

max time kernel
152s
max time network
119s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe
Size

605KB
MD5

4e092b60bf147e5797f95530adaf3c00
SHA1

b9d4f9163289b332be721cfba461b58dab58f79e
SHA256

8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b
SHA512

265706f46e1a09504b3e059d5a38815bf1dc25f4be31b8dab7d8415c6f2db25dd087b09d4f0ce2754d957ab400b5fb555128c2b951f84c3fac42829c87fc10b9
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

toxuxu.exe~DFA7A.tmpvurura.exe

pid process

1400 toxuxu.exe
1172 ~DFA7A.tmp
920 vurura.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1628 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exetoxuxu.exe~DFA7A.tmp

pid process

1336 8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe
1400 toxuxu.exe
1172 ~DFA7A.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1400	toxuxu.exe
1172	~DFA7A.tmp
920	vurura.exe

pid	process
1628	cmd.exe

pid	process
1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe
1400	toxuxu.exe
1172	~DFA7A.tmp

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

vurura.exe

pid	process
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe
920	vurura.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA7A.tmp

description pid process

Token: SeDebugPrivilege 1172 ~DFA7A.tmp

description	pid	process
Token: SeDebugPrivilege	1172	~DFA7A.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exetoxuxu.exe~DFA7A.tmp

description	pid	process	target process
PID 1336 wrote to memory of 1400	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	toxuxu.exe
PID 1336 wrote to memory of 1400	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	toxuxu.exe
PID 1336 wrote to memory of 1400	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	toxuxu.exe
PID 1336 wrote to memory of 1400	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	toxuxu.exe
PID 1336 wrote to memory of 1628	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	cmd.exe
PID 1336 wrote to memory of 1628	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	cmd.exe
PID 1336 wrote to memory of 1628	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	cmd.exe
PID 1336 wrote to memory of 1628	1336	8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe	cmd.exe
PID 1400 wrote to memory of 1172	1400	toxuxu.exe	~DFA7A.tmp
PID 1400 wrote to memory of 1172	1400	toxuxu.exe	~DFA7A.tmp
PID 1400 wrote to memory of 1172	1400	toxuxu.exe	~DFA7A.tmp
PID 1400 wrote to memory of 1172	1400	toxuxu.exe	~DFA7A.tmp
PID 1172 wrote to memory of 920	1172	~DFA7A.tmp	vurura.exe
PID 1172 wrote to memory of 920	1172	~DFA7A.tmp	vurura.exe
PID 1172 wrote to memory of 920	1172	~DFA7A.tmp	vurura.exe
PID 1172 wrote to memory of 920	1172	~DFA7A.tmp	vurura.exe

C:\Users\Admin\AppData\Local\Temp\8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe
"C:\Users\Admin\AppData\Local\Temp\8a22fe3de1ae4d2c8d63c507a852587a125bb7701e34b4521c13f7fe5286357b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\toxuxu.exe
  C:\Users\Admin\AppData\Local\Temp\toxuxu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\~DFA7A.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA7A.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\vurura.exe
      "C:\Users\Admin\AppData\Local\Temp\vurura.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
0d0df8b189d0d9c35f65980380181ef1

SHA1
05d03aacce20e291aeb4570791477c9eb65da05a

SHA256
4bc081936f645d71bcbc997ed3d718f87fd58be1a36aec11cdf7027e58902e10

SHA512
6692000963ec8dbb2162a769dfb148e59c549d6a904981798a93c06b3b58ef5a6999a3161c24a372a0d8ad8a7c00e122c592347ae2d857e6b1b433227a68e1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
aff0a527568b3a74a635df5bdb8f9ff5

SHA1
08de34b93e452535d0f8a5ae5684d1cff6df02d7

SHA256
88546e1be0e8d8cb673b114f82de8bfb7e3ce76bfba5fd76e9f4c61cd181a187

SHA512
5d2395829fc7f0c5065fc469d34afdda9f30b351af132d56e25ca6d982232ad6ae3a3ba38642f4ce4921589a46cd071b61e32ab985ec8cf15d30300fd9aea827

Download Submit
C:\Users\Admin\AppData\Local\Temp\toxuxu.exe

Filesize
606KB

MD5
8ac33332cb9871e9b1090838c9e681da

SHA1
e77a85811fcc418f1798137ecda4462ad2f3bde1

SHA256
302e6ca1ad69df05138cb2813ee2fe41ec11366006ea50d189a4dd6b4601cb47

SHA512
20f8e5c65d21a2dd08b1bc4cf878444f2654e5b43aedb29bee913f171ec269090b39093b55337608e7bb5418acb0ed4ee3461bb181ebb1e7b2d1755caa0e97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\toxuxu.exe

Filesize
606KB

MD5
8ac33332cb9871e9b1090838c9e681da

SHA1
e77a85811fcc418f1798137ecda4462ad2f3bde1

SHA256
302e6ca1ad69df05138cb2813ee2fe41ec11366006ea50d189a4dd6b4601cb47

SHA512
20f8e5c65d21a2dd08b1bc4cf878444f2654e5b43aedb29bee913f171ec269090b39093b55337608e7bb5418acb0ed4ee3461bb181ebb1e7b2d1755caa0e97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vurura.exe

Filesize
374KB

MD5
85e63a93b94cecdd39c9e3443115a679

SHA1
da3c515f10f5ccd60906a3bc352922f8bc0cd328

SHA256
770abfaf29090caf0524c0d2b496371ff4e980b580dea1eac27f5a7880a2e2d4

SHA512
837ec36234e3fe56156b74c72b37810296c74408e32524f05160b7d2bb5ac7c4a77c35507cd5c51e18dee94c0fdd4a002157af02ca7f276e8454046b8dcaf521

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7A.tmp

Filesize
609KB

MD5
03cb31fc4f46689788a9c5363c897f8c

SHA1
64134597161ac632aa766b08a201f4d1a78773a9

SHA256
3949281f23f5ccffd83def6e0b9ed48b077d2e8ccbc8946e6df0ad3344ff1ef6

SHA512
b4c0ad0f4917a2c9c79bb5992709d69e0d7c0a6ca082c39cda45ee2bdfd50ae2ff2f388027bb09d2b985ada412b898c7a3dd3afb2b74749d5db1eafa3292448c

Download Submit
\Users\Admin\AppData\Local\Temp\toxuxu.exe

Filesize
606KB

MD5
8ac33332cb9871e9b1090838c9e681da

SHA1
e77a85811fcc418f1798137ecda4462ad2f3bde1

SHA256
302e6ca1ad69df05138cb2813ee2fe41ec11366006ea50d189a4dd6b4601cb47

SHA512
20f8e5c65d21a2dd08b1bc4cf878444f2654e5b43aedb29bee913f171ec269090b39093b55337608e7bb5418acb0ed4ee3461bb181ebb1e7b2d1755caa0e97cf

Download Submit
\Users\Admin\AppData\Local\Temp\vurura.exe

Filesize
374KB

MD5
85e63a93b94cecdd39c9e3443115a679

SHA1
da3c515f10f5ccd60906a3bc352922f8bc0cd328

SHA256
770abfaf29090caf0524c0d2b496371ff4e980b580dea1eac27f5a7880a2e2d4

SHA512
837ec36234e3fe56156b74c72b37810296c74408e32524f05160b7d2bb5ac7c4a77c35507cd5c51e18dee94c0fdd4a002157af02ca7f276e8454046b8dcaf521

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA7A.tmp

Filesize
609KB

MD5
03cb31fc4f46689788a9c5363c897f8c

SHA1
64134597161ac632aa766b08a201f4d1a78773a9

SHA256
3949281f23f5ccffd83def6e0b9ed48b077d2e8ccbc8946e6df0ad3344ff1ef6

SHA512
b4c0ad0f4917a2c9c79bb5992709d69e0d7c0a6ca082c39cda45ee2bdfd50ae2ff2f388027bb09d2b985ada412b898c7a3dd3afb2b74749d5db1eafa3292448c

Download Submit
memory/920-78-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/920-75-0x0000000000000000-mapping.dmp

Download
memory/1172-77-0x00000000034D0000-0x000000000360E000-memory.dmp

Filesize
1.2MB

Download
memory/1172-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1172-65-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1336-69-0x0000000001E70000-0x0000000001F4E000-memory.dmp

Filesize
888KB

Download
memory/1336-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1336-62-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1336-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1400-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1400-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1400-57-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x0000000000000000-mapping.dmp

Download