Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe
Resource
win10v20210408
General
-
Target
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe
-
Size
200KB
-
MD5
f5ae9882f079c34f21eb9649b6f79724
-
SHA1
78f92938f0f9e5f5e1470eeaea9841e8e53c3fda
-
SHA256
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2
-
SHA512
ca92229a2ad7234276cdb8aa8df1d1349560af47607660089bdeffcf53e06be52d2657887e85cbfc70ecf12d4782699eaa009f2b6c86f0c09af80a97481ee13c
Malware Config
Signatures
-
suricata: ET MALWARE TorrentLocker DNS Lookup
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upygubah = "C:\\Windows\\uqimasar.exe" explorer.exe -
Processes:
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exedescription pid process target process PID 1848 set thread context of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\uqimasar.exe explorer.exe File created C:\Windows\uqimasar.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 564 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1372 vssvc.exe Token: SeRestorePrivilege 1372 vssvc.exe Token: SeAuditPrivilege 1372 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exeexplorer.exedescription pid process target process PID 1848 wrote to memory of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe PID 1848 wrote to memory of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe PID 1848 wrote to memory of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe PID 1848 wrote to memory of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe PID 1848 wrote to memory of 1252 1848 af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe explorer.exe PID 1252 wrote to memory of 564 1252 explorer.exe vssadmin.exe PID 1252 wrote to memory of 564 1252 explorer.exe vssadmin.exe PID 1252 wrote to memory of 564 1252 explorer.exe vssadmin.exe PID 1252 wrote to memory of 564 1252 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe"C:\Users\Admin\AppData\Local\Temp\af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uxejaxegugacufud\01000000MD5
f5ae9882f079c34f21eb9649b6f79724
SHA178f92938f0f9e5f5e1470eeaea9841e8e53c3fda
SHA256af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2
SHA512ca92229a2ad7234276cdb8aa8df1d1349560af47607660089bdeffcf53e06be52d2657887e85cbfc70ecf12d4782699eaa009f2b6c86f0c09af80a97481ee13c
-
memory/564-66-0x0000000000000000-mapping.dmp
-
memory/1252-62-0x000000000009A3B0-mapping.dmp
-
memory/1252-61-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1252-64-0x0000000074EE1000-0x0000000074EE3000-memory.dmpFilesize
8KB
-
memory/1252-67-0x0000000072B51000-0x0000000072B53000-memory.dmpFilesize
8KB
-
memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB