95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9

Analysis

max time kernel
151s
max time network
134s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe
Size

460KB
MD5

0cf8b1340b29d1b10ed40eb30dee6aa0
SHA1

2d307968288d9ce0f0456d01746828d9c2e84397
SHA256

95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9
SHA512

0f9a870fab10136f84db10719c032511a77120b3f1b81ffc99db11300657a611fc7b9797aca85b9e7af3cf1d8472c1c5ad04b05b789d515ee30f251cfe7d0d51
SSDEEP

6144:fLbDdc5g8Alv20zh5lHDx5caDYg6OEpVkk/SfMbDlefuWgv6zVjr7XapPU:DvZdv20/5cULPk/S+MgiRD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1952	qireg.exe
524	wuveex.exe
992	voruk.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe
1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe
1952	qireg.exe
1952	qireg.exe
524	wuveex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe
992	voruk.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1952	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	28
PID 1668 wrote to memory of 1952	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	28
PID 1668 wrote to memory of 1952	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	28
PID 1668 wrote to memory of 1952	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	28
PID 1668 wrote to memory of 668	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	30
PID 1668 wrote to memory of 668	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	30
PID 1668 wrote to memory of 668	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	30
PID 1668 wrote to memory of 668	1668	95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe	30
PID 1952 wrote to memory of 524	1952	qireg.exe	29
PID 1952 wrote to memory of 524	1952	qireg.exe	29
PID 1952 wrote to memory of 524	1952	qireg.exe	29
PID 1952 wrote to memory of 524	1952	qireg.exe	29
PID 524 wrote to memory of 992	524	wuveex.exe	32
PID 524 wrote to memory of 992	524	wuveex.exe	32
PID 524 wrote to memory of 992	524	wuveex.exe	32
PID 524 wrote to memory of 992	524	wuveex.exe	32
PID 524 wrote to memory of 1516	524	wuveex.exe	33
PID 524 wrote to memory of 1516	524	wuveex.exe	33
PID 524 wrote to memory of 1516	524	wuveex.exe	33
PID 524 wrote to memory of 1516	524	wuveex.exe	33

C:\Users\Admin\AppData\Local\Temp\95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe
"C:\Users\Admin\AppData\Local\Temp\95c0375181febe556a87cde056dd699ab234cd21b1792763bb78d916befd75b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\qireg.exe
  "C:\Users\Admin\AppData\Local\Temp\qireg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\wuveex.exe
    "C:\Users\Admin\AppData\Local\Temp\wuveex.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Local\Temp\voruk.exe
      "C:\Users\Admin\AppData\Local\Temp\voruk.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
17274b63b2445bf7fec15f3480408ede

SHA1
2322982cde8cd21634796e7c60d00a74a2bb9efc

SHA256
7c1c3db8b30e5075fc56acbacb189c863452dd24fcec801c1d7fb9210736e754

SHA512
02a83b5c5932328f16753c63ee89e16f12df5ccdd3e6ab36f2807da0fcd2a89f165a386358e379aae8370053f3d33293772162ffaedf6d5acf613780b8df1682

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9f92ff6da0859bd976292b04b5780e86

SHA1
ce5b6b444c980e3b8bb2ec64369232fb49bbfeea

SHA256
9aec6e6d6ff3dce92d4f411b8b51b069288b18638e0d2108874d5e165ab0a5e9

SHA512
63afab1d4b9fd5e5bd0d090c733c0c212495a572f7209aa28c83ca11d504304eadbed94849b762a6c23bd2fdbf2b6e244d6fb394dab6f9bc8dc3a578f490c604

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aaca006c32afdb0e23117658f59b44f9

SHA1
fee311960c261ac64e29055ecd2c4151630ca95d

SHA256
99f76dfbb342e22263f4c292ce7753a315ffcdfad13cdb8933ef7ca2d44d41ec

SHA512
fd6cf139603cc58f7d106fb40a0d44201ae4a4d04cea6a99619df4cf7312b72cc09cb9985e724d17b5bc6fba1d3bea8852c2a5499894342bf6e637ab608d8e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\qireg.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qireg.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\voruk.exe

Filesize
341KB

MD5
3be33bcd72d7d1ff69aa8a51bb463e12

SHA1
c53f973a61a980a0cc8f897e9dfb8741de00ac7e

SHA256
b4092b4daee0e0818b7b24dd6fe09677346141a3bfba5e09dd20c765e285787a

SHA512
ce42e6f0d0b22fb106f92958e8aa61749a903daa09aac8eb32cbd7796c1db8810971775019298de1f0d18b119bf64ab2a25927eaf97b4fe224e100b57c85d948

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuveex.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuveex.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
\Users\Admin\AppData\Local\Temp\qireg.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
\Users\Admin\AppData\Local\Temp\qireg.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
\Users\Admin\AppData\Local\Temp\voruk.exe

Filesize
341KB

MD5
3be33bcd72d7d1ff69aa8a51bb463e12

SHA1
c53f973a61a980a0cc8f897e9dfb8741de00ac7e

SHA256
b4092b4daee0e0818b7b24dd6fe09677346141a3bfba5e09dd20c765e285787a

SHA512
ce42e6f0d0b22fb106f92958e8aa61749a903daa09aac8eb32cbd7796c1db8810971775019298de1f0d18b119bf64ab2a25927eaf97b4fe224e100b57c85d948

Download Submit
\Users\Admin\AppData\Local\Temp\wuveex.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
\Users\Admin\AppData\Local\Temp\wuveex.exe

Filesize
460KB

MD5
1e23cb6568e4882314e1d5362d325c65

SHA1
70fc2b340ff80d64408dc3ba6b4c7f1359d8f913

SHA256
daa8a8b81157d2ae3d2536275698caa165868207a626cb597a870e59faffcce3

SHA512
ca826fc5d3e3df0d584023538e10ed02f9b7afc1d1c7e851e746a3d4196bb392cc6844661337413fc35f7ecaf551e895cdc0ae7b6a2c6259876b75039c4d6e5c

Download Submit
memory/524-76-0x0000000003450000-0x00000000034ED000-memory.dmp

Filesize
628KB

Download
memory/524-79-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/524-72-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/992-77-0x0000000001240000-0x00000000012DD000-memory.dmp

Filesize
628KB

Download
memory/1668-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1668-69-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1952-68-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download