Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe
Resource
win10v2004-20220414-en
General
-
Target
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe
-
Size
554KB
-
MD5
9038c0bfcb41767a7b8d1a46652d53e2
-
SHA1
372dea083bcbbe7f494992f92b5559cf2dab11c7
-
SHA256
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51
-
SHA512
66c153d4e7de01de62775eb57f839f72bb185cb76e82cc12ff875287232fb8d9798bef909d94f10e43f766c0317988a98aa03ff7444b1ba97a5aeebe0858aa3d
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygewamik = "\"C:\\Windows\\yzewewux.exe\"" explorer.exe -
Processes:
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exedescription pid process target process PID 1040 set thread context of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1464 set thread context of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\yzewewux.exe explorer.exe File created C:\Windows\yzewewux.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1688 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exepid process 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1768 vssvc.exe Token: SeRestorePrivilege 1768 vssvc.exe Token: SeAuditPrivilege 1768 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exeexplorer.exedescription pid process target process PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1040 wrote to memory of 1464 1040 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe PID 1464 wrote to memory of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe PID 1464 wrote to memory of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe PID 1464 wrote to memory of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe PID 1464 wrote to memory of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe PID 1464 wrote to memory of 2020 1464 78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe explorer.exe PID 2020 wrote to memory of 1688 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1688 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1688 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1688 2020 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe"C:\Users\Admin\AppData\Local\Temp\78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe"C:\Users\Admin\AppData\Local\Temp\78b55ce394011b701be630417507f517df542361758ca2ab4c135023e2566c51.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ywynugoxasijikec\01000000Filesize
554KB
MD52bf0069d0713d3c61f771c09b5c74c20
SHA1100a14819b6411d4ccad864ce0b075e1dd62d5b8
SHA256816793614ab897abdc53cf699a8d90696dd215c334526f845ff817ddf029c2a9
SHA51233e6de30a49bb34d9cb087db00cf9f2ced2e5323aefc42f4681e935389cd2cd9ecde478cf64a9f012076709238019a0738f3cce97a0c2dab8e3b3db7bba1ef7d
-
memory/1040-54-0x0000000076811000-0x0000000076813000-memory.dmpFilesize
8KB
-
memory/1464-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-65-0x000000000040A61E-mapping.dmp
-
memory/1464-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1464-75-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1688-78-0x0000000000000000-mapping.dmp
-
memory/2020-73-0x000000000009A160-mapping.dmp
-
memory/2020-71-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/2020-76-0x0000000074FE1000-0x0000000074FE3000-memory.dmpFilesize
8KB
-
memory/2020-69-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/2020-79-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/2020-80-0x00000000728F1000-0x00000000728F3000-memory.dmpFilesize
8KB