b060f8e8f97c6829ae27a5f8eb1fbc18bde4d5e7fbaee62fd117d9e6336fc223

General

Target

8d2eb7a1b4f09cb215c091bb568c63af.exe
Size

521KB
MD5

8d2eb7a1b4f09cb215c091bb568c63af
SHA1

a7038bbdbf159a6fc163d43df3688a26fba52299
SHA256

b060f8e8f97c6829ae27a5f8eb1fbc18bde4d5e7fbaee62fd117d9e6336fc223
SHA512

86346d31a9cc8b3840296101a827b54063d093636f5b1ebaaee297f0c50fb8203e0c893c2824707393738991febc41f2d7b63f63d8506d00ef40a13d530c6ce1
SSDEEP

12288:2pR3MqWOKw7yWMJFLubMNfntcanU+SH7:iR84fmX8ItHnXI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2052	umtizi.exe
2736	~DFA19F.tmp
560	gicuvo.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	8d2eb7a1b4f09cb215c091bb568c63af.exe
2052	umtizi.exe
2736	~DFA19F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe
560	gicuvo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	~DFA19F.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2052	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	28
PID 2116 wrote to memory of 2052	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	28
PID 2116 wrote to memory of 2052	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	28
PID 2116 wrote to memory of 2052	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	28
PID 2052 wrote to memory of 2736	2052	umtizi.exe	29
PID 2052 wrote to memory of 2736	2052	umtizi.exe	29
PID 2052 wrote to memory of 2736	2052	umtizi.exe	29
PID 2052 wrote to memory of 2736	2052	umtizi.exe	29
PID 2116 wrote to memory of 2708	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	30
PID 2116 wrote to memory of 2708	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	30
PID 2116 wrote to memory of 2708	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	30
PID 2116 wrote to memory of 2708	2116	8d2eb7a1b4f09cb215c091bb568c63af.exe	30
PID 2736 wrote to memory of 560	2736	~DFA19F.tmp	34
PID 2736 wrote to memory of 560	2736	~DFA19F.tmp	34
PID 2736 wrote to memory of 560	2736	~DFA19F.tmp	34
PID 2736 wrote to memory of 560	2736	~DFA19F.tmp	34

C:\Users\Admin\AppData\Local\Temp\8d2eb7a1b4f09cb215c091bb568c63af.exe
"C:\Users\Admin\AppData\Local\Temp\8d2eb7a1b4f09cb215c091bb568c63af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\umtizi.exe
  C:\Users\Admin\AppData\Local\Temp\umtizi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\~DFA19F.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA19F.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\gicuvo.exe
      "C:\Users\Admin\AppData\Local\Temp\gicuvo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
277B

MD5
dfcea2f532603b1e868b5b9f648e488a

SHA1
56917f6fe6300005cc419c98605e6df86b792062

SHA256
ceb3703eeba6f910391eb05925671da5c10bfcbd7076066a6a52b43c89c56a47

SHA512
f2dbcca0fdffc4c7feb5c999a7f927fa6e82e29930a653eac064a33ef1e04c0425029052ea510944cfb479d7fca5568c7d819a27b4ee0ab50d107378e39e331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
11cb705a34569f049a4e19e67e98205c

SHA1
cc3bdee9e1783122e9b3694cbd0bcdc6b4e428e2

SHA256
f0c02696656cc2761da8c567009957e405b85b881ca1c9e7cbc7b30910dc969f

SHA512
3611c18231afd31399611072814758ace63cd9c8a6ad2335cb433c8d613d7304c1bbc2006fa8782db41861ccb0e3022d16f7239897fa0cffc289c0b64912f5cd

Download Submit
\Users\Admin\AppData\Local\Temp\gicuvo.exe

Filesize
383KB

MD5
3c4a7072072d65409eac5493e8b21419

SHA1
3e05e1657a021d239bb15bb564ecb751ef880027

SHA256
c1f1c9870f2c687e61416153f886c578fc19cd59dc1b76db6fdc2674a2b0808a

SHA512
6e821f702e7597e94ab69e52daa45d34dbaea0ebfc77271699d83fe6245924e2f8dc9c8dc6abe745e26e2d83bbbe0e3f2c8afdeda1b94b58227533a4610d956f

Download Submit
\Users\Admin\AppData\Local\Temp\umtizi.exe

Filesize
526KB

MD5
be740165dbcc6895357c3473e22ad8b3

SHA1
d8faa25d9f4dea74f696cd5303572567fa7a60cd

SHA256
7aff920e4af345ba32dc5466b6590d1dd21ada8ea184306133ddbd63177260a2

SHA512
6b3b8afa765829e8c639853048972f78da054b2a671314fcb8465741bce3be6d0794d32085a5960f9a865160be3da790a446c3b47ba4662dd8a0e8ccea2855de

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA19F.tmp

Filesize
531KB

MD5
2845b96e139aed0bcae7a23573e7ae28

SHA1
46d44027eb966c408ceef1c6d64813980af0c1ab

SHA256
d6d3fd38df86ddcd3d6b1ce709a2c8c89d6d9536c221d35f0b8d48385f3fdde7

SHA512
3a532037ff9c2e1dd2c0212f40208fdc704cffeea4efcb1658e2bac574e68afec5895fd9d460957a26a2a0b500a4ee8a4b22fa00a60d44611695b669a77c9202

Download Submit
memory/560-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/560-40-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/560-42-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/560-45-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/560-47-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/560-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2052-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2052-10-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2116-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2116-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2736-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2736-39-0x0000000003770000-0x00000000038AE000-memory.dmp

Filesize
1.2MB

Download
memory/2736-44-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing