dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61

Analysis

max time kernel
260s
max time network
352s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
Size

1.3MB
MD5

92aafe7bcf2ab2d498314abd5fb50aa6
SHA1

dc03663d65231fe80cac1d94025f2e2d577f1bd8
SHA256

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61
SHA512

295d4d0c9e8b2e36cbbadb449fb25e1889870ac8855473645ebec67b40c21d7b9f630be93f454ac5adb88620bf1aa5d0d809448da29fdd8f15c195bcda3fed7b
SSDEEP

24576:cEIcw9lUgrG+6s7rWB+OmPomKGyg5k0UvVMHLV:TakgC+zrWB+VFjruw

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

2618.tmpWUU.exe

pid process

1860 2618.tmp
460
1812 WUU.exe

pid	process
1860	2618.tmp
460
1812	WUU.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/520-55-0x0000000000D20000-0x0000000000E76000-memory.dmp	vmprotect
behavioral1/memory/520-56-0x0000000000D20000-0x0000000000E76000-memory.dmp	vmprotect
behavioral1/memory/520-63-0x0000000000D20000-0x0000000000E76000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

284 cmd.exe

pid	process
284	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

pid	process
520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
460

Drops file in System32 directory 2 IoCs

Processes:

2618.tmp

description ioc process

File created C:\Windows\system32\WUU.exe 2618.tmp
File opened for modification C:\Windows\system32\WUU.exe 2618.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

pid process

520 dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

description	ioc	process
File created	C:\Windows\system32\WUU.exe	2618.tmp
File opened for modification	C:\Windows\system32\WUU.exe	2618.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe2618.tmp

description	pid	process	target process
PID 520 wrote to memory of 1860	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	2618.tmp
PID 520 wrote to memory of 1860	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	2618.tmp
PID 520 wrote to memory of 1860	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	2618.tmp
PID 520 wrote to memory of 1860	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	2618.tmp
PID 520 wrote to memory of 284	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 520 wrote to memory of 284	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 520 wrote to memory of 284	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 520 wrote to memory of 284	520	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 1860 wrote to memory of 884	1860	2618.tmp	cmd.exe
PID 1860 wrote to memory of 884	1860	2618.tmp	cmd.exe
PID 1860 wrote to memory of 884	1860	2618.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
"C:\Users\Admin\AppData\Local\Temp\dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\2618.tmp
"C:\Users\Admin\AppData\Local\Temp\2618.tmp"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AA44.tmp.bat" "
3⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\30F2.tmp.bat" "
2⤵
- Deletes itself
PID:284

C:\Windows\system32\WUU.exe
C:\Windows\system32\WUU.exe
1⤵
- Executes dropped EXE
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2618.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\2618.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\30F2.tmp.bat
Filesize
306B

MD5
2737fbdbd0d953acd476d46370165e4b

SHA1
4f42f6964bff90309e0e00b624f89f949ad2cab1

SHA256
f6746891b791f70f2b995d590a5f8986c8c041cc717a9e797ec463996850638c

SHA512
680d886d85467d9b160e06f090f5b0385b522231a44036bd5a8041f085e4c57f0252717576f71c5a4e350994cbae8d79fc9fcebe030c9a2dfac60d250362d7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA44.tmp.bat
Filesize
186B

MD5
fe41de37a41e31c0aaaa3782169cb26e

SHA1
58ace5da5beda3eed313253aa1a9d04d916133ba

SHA256
8b7b36a2e89e6c222f32ef35453bf862acaeb7c78f3bdf35cd54b7c2605a215a

SHA512
b93ca7955faed3ece74d83df5dfa2931605914e8fef032a2d79d0c8f357dea8d72198a8e86c3450e287c40874b75a45589b5d925945a652011c871d6506a2ecd

Download Submit
C:\Windows\System32\WUU.exe
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
\Users\Admin\AppData\Local\Temp\2618.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
\Users\Admin\AppData\Local\Temp\2618.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
\Windows\System32\WUU.exe
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
\Windows\System32\WUU.exe
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
memory/284-62-0x0000000000000000-mapping.dmp

Download
memory/520-63-0x0000000000D20000-0x0000000000E76000-memory.dmp

Filesize
1.3MB

Download
memory/520-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/520-56-0x0000000000D20000-0x0000000000E76000-memory.dmp

Filesize
1.3MB

Download
memory/520-55-0x0000000000D20000-0x0000000000E76000-memory.dmp

Filesize
1.3MB

Download
memory/884-69-0x0000000000000000-mapping.dmp

Download
memory/1860-59-0x0000000000000000-mapping.dmp

Download
memory/1860-68-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download