060c14947ec75ce9817f7be911534e3e15a797dc17680acc2f05d8afbffdc1c1

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCS.exe
Size

2.4MB
MD5

072ae884ff0b7f872b2d096c6f56cd8f
SHA1

ed6fe1c2cf2ade73266d7110bcc24d9b26651aa0
SHA256

060c14947ec75ce9817f7be911534e3e15a797dc17680acc2f05d8afbffdc1c1
SHA512

d8949a16c6b2b305345d73652ccdbe125eb4eb0a14a2811b0618f91717436fd61bfa5475846c7e4af93dc638c309bfea3c5ef6ecbcfe08aeaef5d98da16133b5
SSDEEP

24576:F3HAfWxfLwk0u2QynLyw//0gLTi+hxAL0CD2iFGo1V8nJp5bN+Zr3GiK3CvbRNOU:VjwR0nLkiRYr+Zr2iK3CvbRNO/j

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Holzupo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Jipaxzr\\Holzupo.exe\""	DOCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2032	powershell.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe
1288	DOCS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1288	DOCS.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2032	1288	DOCS.exe	28
PID 1288 wrote to memory of 2032	1288	DOCS.exe	28
PID 1288 wrote to memory of 2032	1288	DOCS.exe	28
PID 1288 wrote to memory of 2032	1288	DOCS.exe	28
PID 1288 wrote to memory of 680	1288	DOCS.exe	30
PID 1288 wrote to memory of 680	1288	DOCS.exe	30
PID 1288 wrote to memory of 680	1288	DOCS.exe	30
PID 1288 wrote to memory of 680	1288	DOCS.exe	30
PID 1288 wrote to memory of 968	1288	DOCS.exe	31
PID 1288 wrote to memory of 968	1288	DOCS.exe	31
PID 1288 wrote to memory of 968	1288	DOCS.exe	31
PID 1288 wrote to memory of 968	1288	DOCS.exe	31
PID 1288 wrote to memory of 880	1288	DOCS.exe	32
PID 1288 wrote to memory of 880	1288	DOCS.exe	32
PID 1288 wrote to memory of 880	1288	DOCS.exe	32
PID 1288 wrote to memory of 880	1288	DOCS.exe	32
PID 1288 wrote to memory of 1588	1288	DOCS.exe	33
PID 1288 wrote to memory of 1588	1288	DOCS.exe	33
PID 1288 wrote to memory of 1588	1288	DOCS.exe	33
PID 1288 wrote to memory of 1588	1288	DOCS.exe	33
PID 1288 wrote to memory of 1352	1288	DOCS.exe	34
PID 1288 wrote to memory of 1352	1288	DOCS.exe	34
PID 1288 wrote to memory of 1352	1288	DOCS.exe	34
PID 1288 wrote to memory of 1352	1288	DOCS.exe	34
PID 1288 wrote to memory of 616	1288	DOCS.exe	35
PID 1288 wrote to memory of 616	1288	DOCS.exe	35
PID 1288 wrote to memory of 616	1288	DOCS.exe	35
PID 1288 wrote to memory of 616	1288	DOCS.exe	35
PID 1288 wrote to memory of 1696	1288	DOCS.exe	36
PID 1288 wrote to memory of 1696	1288	DOCS.exe	36
PID 1288 wrote to memory of 1696	1288	DOCS.exe	36
PID 1288 wrote to memory of 1696	1288	DOCS.exe	36
PID 1288 wrote to memory of 1700	1288	DOCS.exe	37
PID 1288 wrote to memory of 1700	1288	DOCS.exe	37
PID 1288 wrote to memory of 1700	1288	DOCS.exe	37
PID 1288 wrote to memory of 1700	1288	DOCS.exe	37
PID 1288 wrote to memory of 1368	1288	DOCS.exe	38
PID 1288 wrote to memory of 1368	1288	DOCS.exe	38
PID 1288 wrote to memory of 1368	1288	DOCS.exe	38
PID 1288 wrote to memory of 1368	1288	DOCS.exe	38
PID 1288 wrote to memory of 1516	1288	DOCS.exe	39
PID 1288 wrote to memory of 1516	1288	DOCS.exe	39
PID 1288 wrote to memory of 1516	1288	DOCS.exe	39
PID 1288 wrote to memory of 1516	1288	DOCS.exe	39

C:\Users\Admin\AppData\Local\Temp\DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:680
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:968
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:880
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:616
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCS.exe
  2⤵
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-54-0x0000000000210000-0x000000000047C000-memory.dmp

Filesize
2.4MB

Download
memory/1288-55-0x0000000004D90000-0x0000000004EE2000-memory.dmp

Filesize
1.3MB

Download
memory/1288-56-0x0000000004810000-0x00000000048A2000-memory.dmp

Filesize
584KB

Download
memory/1288-57-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1288-62-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2032-60-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2032-61-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2032-63-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download