Analysis
-
max time kernel
148s -
max time network
189s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
Resource
win10v20210408
General
-
Target
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
-
Size
188KB
-
MD5
a82e96c0fa347c803e4a2e5d95f81340
-
SHA1
9917bf4ebd86a163d9b63e3761bab9264f8e1d89
-
SHA256
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117
-
SHA512
e5fcd6cd5876dc93786a6c0b5f855381194795ccb5a990649e3564c5a7b01477716ef1dd0348c81e0bcf361efbfee2d89098eaeb1eb0980f5cb8e7b2b4d5e347
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\umytakis = "\"C:\\Windows\\apnjojij.exe\"" explorer.exe -
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exedescription pid process target process PID 1212 set thread context of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\apnjojij.exe explorer.exe File created C:\Windows\apnjojij.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2000 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1540 vssvc.exe Token: SeRestorePrivilege 1540 vssvc.exe Token: SeAuditPrivilege 1540 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exeexplorer.exedescription pid process target process PID 1212 wrote to memory of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 1212 wrote to memory of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 1212 wrote to memory of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 1212 wrote to memory of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 1212 wrote to memory of 1532 1212 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 1532 wrote to memory of 2000 1532 explorer.exe vssadmin.exe PID 1532 wrote to memory of 2000 1532 explorer.exe vssadmin.exe PID 1532 wrote to memory of 2000 1532 explorer.exe vssadmin.exe PID 1532 wrote to memory of 2000 1532 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe"C:\Users\Admin\AppData\Local\Temp\7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\avinecuryladypom\01000000MD5
8a0a56cdd9398f9375d9d1f3f0767a99
SHA1c30e29a4751fada11d360b2485ad769afa60ee6d
SHA25683dd9d0f98bb01d2552ace5da7a950b0d308fdf99dcb49a850ac7acd071e40db
SHA5124ff24f45d996f478cef1d271a13e974927512f16d2d917c735e305834bc32195ed1bc5cf5dd198fc160f29cc4ce4e2b6204869479c6584c5623fac6c560d2a5a
-
memory/1212-60-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1532-61-0x0000000000110000-0x0000000000148000-memory.dmpFilesize
224KB
-
memory/1532-62-0x000000000012A620-mapping.dmp
-
memory/1532-64-0x0000000074D11000-0x0000000074D13000-memory.dmpFilesize
8KB
-
memory/1532-67-0x0000000072A11000-0x0000000072A13000-memory.dmpFilesize
8KB
-
memory/2000-66-0x0000000000000000-mapping.dmp