Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
Resource
win10v20210408
General
-
Target
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe
-
Size
188KB
-
MD5
a82e96c0fa347c803e4a2e5d95f81340
-
SHA1
9917bf4ebd86a163d9b63e3761bab9264f8e1d89
-
SHA256
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117
-
SHA512
e5fcd6cd5876dc93786a6c0b5f855381194795ccb5a990649e3564c5a7b01477716ef1dd0348c81e0bcf361efbfee2d89098eaeb1eb0980f5cb8e7b2b4d5e347
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ynoskvtj = "\"C:\\Windows\\yfaditan.exe\"" explorer.exe -
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exedescription pid process target process PID 740 set thread context of 3264 740 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\yfaditan.exe explorer.exe File created C:\Windows\yfaditan.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2964 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 156 vssvc.exe Token: SeRestorePrivilege 156 vssvc.exe Token: SeAuditPrivilege 156 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exeexplorer.exedescription pid process target process PID 740 wrote to memory of 3264 740 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 740 wrote to memory of 3264 740 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 740 wrote to memory of 3264 740 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 740 wrote to memory of 3264 740 7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe explorer.exe PID 3264 wrote to memory of 2964 3264 explorer.exe vssadmin.exe PID 3264 wrote to memory of 2964 3264 explorer.exe vssadmin.exe PID 3264 wrote to memory of 2964 3264 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe"C:\Users\Admin\AppData\Local\Temp\7e2a27c681b7c250728c380c6e10f93bb24ea32e520950c72c99e6e1a1e1e117.sample.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\avinecuryladypom\01000000MD5
8a0a56cdd9398f9375d9d1f3f0767a99
SHA1c30e29a4751fada11d360b2485ad769afa60ee6d
SHA25683dd9d0f98bb01d2552ace5da7a950b0d308fdf99dcb49a850ac7acd071e40db
SHA5124ff24f45d996f478cef1d271a13e974927512f16d2d917c735e305834bc32195ed1bc5cf5dd198fc160f29cc4ce4e2b6204869479c6584c5623fac6c560d2a5a
-
memory/2964-117-0x0000000000000000-mapping.dmp
-
memory/3264-114-0x0000000000560000-0x0000000000598000-memory.dmpFilesize
224KB
-
memory/3264-115-0x000000000057A620-mapping.dmp