Analysis
-
max time kernel
159s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
Resource
win10v20210408
General
-
Target
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
-
Size
446KB
-
MD5
d781e9d11bd90edc0a29f379e56e39e1
-
SHA1
d2fc29b258e8307a219ba33c3cbbbef4959055b3
-
SHA256
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd
-
SHA512
55c50e1ac3f77c36995d2753ee64c03dad21720e40bff1e460317cdb965a13c25780f3154d5d49e2e6aea5777a905f442e0e13b6b2489dad3f987064137d137e
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofelfwil = "C:\\Windows\\ykaxifyq.exe" explorer.exe -
Processes:
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exefbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exedescription pid process target process PID 1668 set thread context of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1748 set thread context of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ykaxifyq.exe explorer.exe File created C:\Windows\ykaxifyq.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1288 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1708 vssvc.exe Token: SeRestorePrivilege 1708 vssvc.exe Token: SeAuditPrivilege 1708 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exefbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exeexplorer.exedescription pid process target process PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1668 wrote to memory of 1748 1668 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe PID 1748 wrote to memory of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe PID 1748 wrote to memory of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe PID 1748 wrote to memory of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe PID 1748 wrote to memory of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe PID 1748 wrote to memory of 828 1748 fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe explorer.exe PID 828 wrote to memory of 1288 828 explorer.exe vssadmin.exe PID 828 wrote to memory of 1288 828 explorer.exe vssadmin.exe PID 828 wrote to memory of 1288 828 explorer.exe vssadmin.exe PID 828 wrote to memory of 1288 828 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"ÎC:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uwiryzenebaxoxoc\01000000MD5
887a9423bc33561f7a3fc4f3cf626800
SHA1053285c812abcd42d424677de18f5976255632e6
SHA25662f97a8743d0890f937a2354b1b009732a906ccaf10f4725685f16fd45b33c2e
SHA512d5432a743923f6b5e9aa1af4078d114e6ecd69bfb39e2ddd7aaeb309e2de61d588531db34eb721a37cf382400618d758280c926947b41e990b576adab8b37c06
-
memory/828-65-0x0000000000080000-0x00000000000BD000-memory.dmpFilesize
244KB
-
memory/828-66-0x000000000009BB10-mapping.dmp
-
memory/828-68-0x0000000075231000-0x0000000075233000-memory.dmpFilesize
8KB
-
memory/828-71-0x0000000072E81000-0x0000000072E83000-memory.dmpFilesize
8KB
-
memory/1288-70-0x0000000000000000-mapping.dmp
-
memory/1668-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1748-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1748-62-0x000000000040B4D3-mapping.dmp
-
memory/1748-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB