1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451

Analysis

max time kernel
127s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
Size

506KB
MD5

9f2eb04e92a19b2dbb3a351f229f0795
SHA1

c2aeb031c54c7c5c889d2666778afe9971348315
SHA256

1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451
SHA512

3f2078057e8bd9220ad15877327ad89ebed2e6fcfbd6b3b39438bd0015d3ef768d89e7540491bcbff3fd54adb16393c24eb2194a3f51c092e8ab7c1c97cc5a1d
SSDEEP

12288:ZzYwKuEYUhoMO+xxmYrkwDDV69J/LGqnfBFun5C5fP7ZWToUvJF:1sZYUhoM/LmKo/fnfBFACiPL

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3672	udbu.exe
4864	udbu.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2472-132-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2472-137-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/files/0x0006000000022e69-141.dat	upx
behavioral2/files/0x0006000000022e69-142.dat	upx
behavioral2/files/0x0006000000022e69-146.dat	upx
behavioral2/memory/3672-149-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2472-137-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral2/memory/3672-149-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 3672 set thread context of 4864	3672	udbu.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4864	udbu.exe
4864	udbu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 2472 wrote to memory of 4540	2472	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	82
PID 4540 wrote to memory of 3672	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	83
PID 4540 wrote to memory of 3672	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	83
PID 4540 wrote to memory of 3672	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	83
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 3672 wrote to memory of 4864	3672	udbu.exe	84
PID 4540 wrote to memory of 4832	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	85
PID 4540 wrote to memory of 4832	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	85
PID 4540 wrote to memory of 4832	4540	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	85
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86
PID 4864 wrote to memory of 5096	4864	udbu.exe	86

C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
"C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
  "C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe
    "C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe
      "C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8670cb66.bat"
    3⤵
    PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8670cb66.bat

Filesize
307B

MD5
7e2093608b4a6bffb6f1a8653ead1480

SHA1
c4730338d99b10ac1e47ff2f4110fbd52a48335e

SHA256
a09aa4380cc81bf1d2b1effba952446f343756a57d4a34f5f6aa163a0da46873

SHA512
3774e90d785d805ab626e29fdc9134965cb2995cc26fd1e3f70b7ff5a370dfdfc9e002c04d54d7e7bc6d66fdd73567820bec95997bf6096006ae97d31aaef7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe

Filesize
506KB

MD5
cdb3ba7b707bb4ac9ed66d2ea1ca3198

SHA1
18e1b37cebf9566a0d0c3903b8bd2e3572e4c37c

SHA256
fd52772e70448e7a260eb1e59e1caa0a0db0a31951c987b8b6f1284e1cb9a211

SHA512
624f7ebd88e25d6ff3bd6932ddf9f325378719460436bd3b9a06273c5fb586c1696f8a1587582cd8f5df7e8fff41f17b39010a3644845ec31e8eb4c410c19ced

Download Submit
C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe

Filesize
506KB

MD5
cdb3ba7b707bb4ac9ed66d2ea1ca3198

SHA1
18e1b37cebf9566a0d0c3903b8bd2e3572e4c37c

SHA256
fd52772e70448e7a260eb1e59e1caa0a0db0a31951c987b8b6f1284e1cb9a211

SHA512
624f7ebd88e25d6ff3bd6932ddf9f325378719460436bd3b9a06273c5fb586c1696f8a1587582cd8f5df7e8fff41f17b39010a3644845ec31e8eb4c410c19ced

Download Submit
C:\Users\Admin\AppData\Roaming\Ruiky\udbu.exe

Filesize
506KB

MD5
cdb3ba7b707bb4ac9ed66d2ea1ca3198

SHA1
18e1b37cebf9566a0d0c3903b8bd2e3572e4c37c

SHA256
fd52772e70448e7a260eb1e59e1caa0a0db0a31951c987b8b6f1284e1cb9a211

SHA512
624f7ebd88e25d6ff3bd6932ddf9f325378719460436bd3b9a06273c5fb586c1696f8a1587582cd8f5df7e8fff41f17b39010a3644845ec31e8eb4c410c19ced

Download Submit
memory/2472-137-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2472-132-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3672-149-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4540-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4540-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4540-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4540-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4540-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4864-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4864-155-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5096-156-0x0000000000920000-0x000000000094E000-memory.dmp

Filesize
184KB

Download