48c868c2ed1d7cfdade91e4c9ef4649b73037e0c18a8338eb97a3968041427ce

Analysis

max time kernel
54s
max time network
61s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/03/2023, 21:55

Target

RansomTuga.exe
Size

1.4MB
MD5

41ebbb3be84010c309a2886151ec075a
SHA1

60f943d1a8110e5988075694466093e66a8a0558
SHA256

48c868c2ed1d7cfdade91e4c9ef4649b73037e0c18a8338eb97a3968041427ce
SHA512

cb8b065ac6b2b24a215165b6502cf1ed53adffb176407929c11d804b411ddc5f9f61185a1150ffd0a3f7fcc0980b40855128cd650ba39e76618bd19ab5544696
SSDEEP

24576:mrRE4V2JohrE+YyUKnEA2MX1ymFh2baKLzo8zqXUyInFXJGiw:mrRj/hg+YrAnlyOhlkoBQsi

Score

5^/10

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\temp.tmp	RansomTuga.exe
File opened for modification	C:\Windows\System32\temp.tmp	RansomTuga.exe
File created	C:\Windows\System32\temp.tmp.bmp	RansomTuga.exe
File opened for modification	C:\Windows\System32\temp.tmp.jpg	RansomTuga.exe
File created	C:\Windows\System32\ok.txt	RansomTuga.exe
File created	C:\Windows\System32\ok.txt.TUGA	RansomTuga.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4820	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4144	4152	RansomTuga.exe	67
PID 4152 wrote to memory of 4144	4152	RansomTuga.exe	67
PID 4152 wrote to memory of 1728	4152	RansomTuga.exe	68
PID 4152 wrote to memory of 1728	4152	RansomTuga.exe	68
PID 1728 wrote to memory of 2636	1728	cmd.exe	69
PID 1728 wrote to memory of 2636	1728	cmd.exe	69
PID 4152 wrote to memory of 3344	4152	RansomTuga.exe	70
PID 4152 wrote to memory of 3344	4152	RansomTuga.exe	70
PID 4152 wrote to memory of 3556	4152	RansomTuga.exe	71
PID 4152 wrote to memory of 3556	4152	RansomTuga.exe	71

C:\Users\Admin\AppData\Local\Temp\RansomTuga.exe
"C:\Users\Admin\AppData\Local\Temp\RansomTuga.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b /a-d .\
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear && cls
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\netsh.exe
    netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b /a-d C:\Windows\System32\wifies\
  2⤵
  PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3556

C:\Windows\System32\temp.tmp

Filesize
722B

MD5
fb430b147f7c0d360b9636fe2a597b5f

SHA1
4b6ba9e806747e76a0bae59728f07b180b3206fc

SHA256
f36b152f0797845cd2f82992b44adc265ee84d7ed27bb1f8adffca57b5e9a0e1

SHA512
ec1ace3e6a227f5f962263ebee5f4a9d9d7dc7b5eacfb8d9cfb19a480644e7ecca6786196947deb8d05907583eed107c689e0efd4ffe157d8a955f9113ed9a46

Download Submit
C:\Windows\System32\temp.tmp.bmp

Filesize
3.5MB

MD5
3fc08394bc027273ea919f16142f781c

SHA1
7799ee56db8ee64ac119335cdbdef83ea4311873

SHA256
6b18da437916642795842a7e85822f23474fc30dea013d8230d973ad040f6916

SHA512
3b7b392bc8b006770fda591953add3862b626182b569e30545aa6fa850ed7f2227f60a462baa5e06061fde398eac9282bc71d8fd183557853cbe73f6ce3cada3

Download Submit
memory/4152-256-0x00007FF7EB520000-0x00007FF7EB69B000-memory.dmp

Filesize
1.5MB

Download
memory/4152-257-0x00007FF7EB520000-0x00007FF7EB69B000-memory.dmp

Filesize
1.5MB

Download