90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5

General

Target

90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe
Size

308KB
MD5

330f7d5d0d880f8129d593c53b20a190
SHA1

cb45631c7551a39c98ce085027a86761b1a5d73d
SHA256

90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5
SHA512

4bb9b3eeb68f8d44e876b1c448d86052a3c698389c5f93c8a65b315da0e6b7a4d26e85794ec69822d6c237cd23fc66dda9d2df9e3210bde7828695763143a8b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+l:vHW138/iXWlK885rKlGSekcj66co

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1164	wekuq.exe
544	uwyko.exe

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe
1164	wekuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe
544	uwyko.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1164	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	28
PID 692 wrote to memory of 1164	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	28
PID 692 wrote to memory of 1164	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	28
PID 692 wrote to memory of 1164	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	28
PID 692 wrote to memory of 1768	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	29
PID 692 wrote to memory of 1768	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	29
PID 692 wrote to memory of 1768	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	29
PID 692 wrote to memory of 1768	692	90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe	29
PID 1164 wrote to memory of 544	1164	wekuq.exe	31
PID 1164 wrote to memory of 544	1164	wekuq.exe	31
PID 1164 wrote to memory of 544	1164	wekuq.exe	31
PID 1164 wrote to memory of 544	1164	wekuq.exe	31

C:\Users\Admin\AppData\Local\Temp\90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe
"C:\Users\Admin\AppData\Local\Temp\90f257e78a19be18d0c9b3304d6aa574eb9e5a510845ee7a49804025d0f1f4c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\wekuq.exe
  "C:\Users\Admin\AppData\Local\Temp\wekuq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\uwyko.exe
    "C:\Users\Admin\AppData\Local\Temp\uwyko.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e4b49990814175df27b7077fec8cd2c3

SHA1
17482db81a04915a35de35ca0a8436b5cc0036e5

SHA256
eae51ae04c226f21f9dda2faf3598a02842a3da18bc6440406ed7f8992bb0198

SHA512
66f929a69e2ab739d7c4e3d59885a7671507020615728fee871411b33846f7cd7a30ab903c05352fe6f99fe14d58005fc466774c96eec8a8ab3b9adadbeb85d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f28d6c30108c667376761f3a842fdae6

SHA1
525556b9883ee543c77cb3dcb2927177a6fd5a6b

SHA256
ce1fd7555119574c534952618e7d68be6fb4cdf04143970ad5be25507a7f9f33

SHA512
c781fb90a963b3fec90c2e2515c5638a007899c308818e92b02f0189caf08de23d012bb2c008647e391abe73ff813ea6279afd9e73e7dd1ba702fe37f744109c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwyko.exe

Filesize
172KB

MD5
c4ff30d4b787bb6f1bd7d0a4ceeb00ff

SHA1
773f7fcc06461bb535cc6a3d8854fb5e22ca7d34

SHA256
3b7a9a7dd7ac4199b4d7d21d5d9d6351878b60447477826f64111cc4409222a6

SHA512
223fc6425e96f9f63888ff38b41f3a09cdc5c4cd624fec536a8fc2200c87b3aaad9a843aa6cc0244b759635b2f00798679bb255c23ceffaba5cc00ea223751f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wekuq.exe

Filesize
308KB

MD5
de77cd368e64c3517729c86958543012

SHA1
ad1d813315567ea445113987fdf3d509fab7d2a2

SHA256
c70e2d3f650579f86c0da6e34fa06cfce6c38da2f9830c99308ba63431973688

SHA512
740eab5cdfea7630d2f39bd45e57c8da4e158411f5d1924feeec34dce9f7ff0488fe5537b0e74e91f3d01a27fd69d34b4b8db3853ec2d1a3c74b6c314e780e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wekuq.exe

Filesize
308KB

MD5
de77cd368e64c3517729c86958543012

SHA1
ad1d813315567ea445113987fdf3d509fab7d2a2

SHA256
c70e2d3f650579f86c0da6e34fa06cfce6c38da2f9830c99308ba63431973688

SHA512
740eab5cdfea7630d2f39bd45e57c8da4e158411f5d1924feeec34dce9f7ff0488fe5537b0e74e91f3d01a27fd69d34b4b8db3853ec2d1a3c74b6c314e780e9b

Download Submit
\Users\Admin\AppData\Local\Temp\uwyko.exe

Filesize
172KB

MD5
c4ff30d4b787bb6f1bd7d0a4ceeb00ff

SHA1
773f7fcc06461bb535cc6a3d8854fb5e22ca7d34

SHA256
3b7a9a7dd7ac4199b4d7d21d5d9d6351878b60447477826f64111cc4409222a6

SHA512
223fc6425e96f9f63888ff38b41f3a09cdc5c4cd624fec536a8fc2200c87b3aaad9a843aa6cc0244b759635b2f00798679bb255c23ceffaba5cc00ea223751f1

Download Submit
\Users\Admin\AppData\Local\Temp\wekuq.exe

Filesize
308KB

MD5
de77cd368e64c3517729c86958543012

SHA1
ad1d813315567ea445113987fdf3d509fab7d2a2

SHA256
c70e2d3f650579f86c0da6e34fa06cfce6c38da2f9830c99308ba63431973688

SHA512
740eab5cdfea7630d2f39bd45e57c8da4e158411f5d1924feeec34dce9f7ff0488fe5537b0e74e91f3d01a27fd69d34b4b8db3853ec2d1a3c74b6c314e780e9b

Download Submit
memory/544-73-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/544-70-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/692-61-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/692-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/692-55-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/1164-63-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/1164-68-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing