57f42d730f182b74384124340889635619b7cdabad50f4d825c5985838d03a6d

Resubmissions

02-02-2023 11:29

230202-nlpe8shh6x 8

Analysis

max time kernel
1s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2014.exe
Size

263KB
MD5

a18ac16e0862cf64a8c119bf9cb1e620
SHA1

2b8a58e121158d56880c8036915744a32c76df79
SHA256

57f42d730f182b74384124340889635619b7cdabad50f4d825c5985838d03a6d
SHA512

376309c0eb4ca5e6f77ad0df38b7ac33e20e5a3516d2801c28aabfd360526c18bba8a00362ac2757d6e128a2cc502db1fc1e75c5070d91e4f3af1fd6571b9d79
SSDEEP

6144:uz+92mhAMJ/cPl3i5PGvYipQ2tieQmdkv9rAjVu75OlYr+NgKd:uK2mhAMJ/cPlWuvrph3QmdkvqJO5OlAa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1000	usha.exe
2044	usha.exe

Loads dropped DLL 6 IoCs

pid	Process
1792	2014.exe
1792	2014.exe
1792	2014.exe
1792	2014.exe
1000	usha.exe
2044	usha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	usha.exe
Token: SeTcbPrivilege	1000	usha.exe
Token: SeDebugPrivilege	2044	usha.exe
Token: SeTcbPrivilege	2044	usha.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 1792 wrote to memory of 1000	1792	2014.exe	28
PID 2044 wrote to memory of 952	2044	usha.exe	30
PID 2044 wrote to memory of 952	2044	usha.exe	30
PID 2044 wrote to memory of 952	2044	usha.exe	30
PID 2044 wrote to memory of 952	2044	usha.exe	30
PID 2044 wrote to memory of 952	2044	usha.exe	30
PID 2044 wrote to memory of 952	2044	usha.exe	30

C:\Users\Admin\AppData\Local\Temp\2014.exe
"C:\Users\Admin\AppData\Local\Temp\2014.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1000

C:\ProgramData\usta\usha.exe
C:\ProgramData\usta\usha.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\usta\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
C:\ProgramData\usta\ushata.dll

Filesize
3KB

MD5
b948c6616215ba79bc152e7eccc21044

SHA1
973ea910ea3734e45fde304f20ab6cf067456551

SHA256
baf81d98dcdd218ee1dd89610ec44cbfcc75667b11efb52987011b4f15202fb0

SHA512
e26d69e07eeb977bbcb69a8e617a56f5a55113639bb1aa26a7783ed773d162a0ca734a6b65d58a5b237245ea3ee2e27010418b1a8b06b26762bd4dbc4517e309

Download Submit
C:\ProgramData\usta\ushata.dll.avp

Filesize
116KB

MD5
0d61aaf05eb4e12f5b17abd343345be4

SHA1
d2b96dcbfc2ac15eb266f7de42a3984d99fbb331

SHA256
fbc6605404b9d9b95beab5b625400ed39ad11d61f4cbd6a6dc4cb1e1758cf702

SHA512
e677b540e44f5262cb9380cd84ad4816d99acce740fcec42ab16f317ac5f6f6dca59b2edfecdf6b80e8fc8abf23bad95292ed5f612f2e763018105d590eca5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ushata.dll

Filesize
3KB

MD5
b948c6616215ba79bc152e7eccc21044

SHA1
973ea910ea3734e45fde304f20ab6cf067456551

SHA256
baf81d98dcdd218ee1dd89610ec44cbfcc75667b11efb52987011b4f15202fb0

SHA512
e26d69e07eeb977bbcb69a8e617a56f5a55113639bb1aa26a7783ed773d162a0ca734a6b65d58a5b237245ea3ee2e27010418b1a8b06b26762bd4dbc4517e309

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ushata.dll.avp

Filesize
116KB

MD5
0d61aaf05eb4e12f5b17abd343345be4

SHA1
d2b96dcbfc2ac15eb266f7de42a3984d99fbb331

SHA256
fbc6605404b9d9b95beab5b625400ed39ad11d61f4cbd6a6dc4cb1e1758cf702

SHA512
e677b540e44f5262cb9380cd84ad4816d99acce740fcec42ab16f317ac5f6f6dca59b2edfecdf6b80e8fc8abf23bad95292ed5f612f2e763018105d590eca5f5

Download Submit
\ProgramData\usta\ushata.dll

Filesize
3KB

MD5
b948c6616215ba79bc152e7eccc21044

SHA1
973ea910ea3734e45fde304f20ab6cf067456551

SHA256
baf81d98dcdd218ee1dd89610ec44cbfcc75667b11efb52987011b4f15202fb0

SHA512
e26d69e07eeb977bbcb69a8e617a56f5a55113639bb1aa26a7783ed773d162a0ca734a6b65d58a5b237245ea3ee2e27010418b1a8b06b26762bd4dbc4517e309

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\usha.exe

Filesize
209KB

MD5
e26d04cecd6c7c71cfbb3f335875bc31

SHA1
4c07150c4bdf3b49b54be7b0ea7caab193db784e

SHA256
902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52

SHA512
06d4485f252f6ea86d56e1fc684df0f7334b818bc55ad317f27d8ab32cdb08e02f08d612b4050739f04bc8ab3d60ce58758fa8c9c5e4e14f7235bf753251482c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ushata.dll

Filesize
3KB

MD5
b948c6616215ba79bc152e7eccc21044

SHA1
973ea910ea3734e45fde304f20ab6cf067456551

SHA256
baf81d98dcdd218ee1dd89610ec44cbfcc75667b11efb52987011b4f15202fb0

SHA512
e26d69e07eeb977bbcb69a8e617a56f5a55113639bb1aa26a7783ed773d162a0ca734a6b65d58a5b237245ea3ee2e27010418b1a8b06b26762bd4dbc4517e309

Download Submit
memory/952-72-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/1000-65-0x0000000000470000-0x0000000000571000-memory.dmp

Filesize
1.0MB

Download
memory/1000-59-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2044-71-0x0000000000790000-0x0000000000891000-memory.dmp

Filesize
1.0MB

Download