Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
Resource
win10v2004-20220414-en
General
-
Target
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
-
Size
554KB
-
MD5
599b93918efa98ba6cea5e14cc47fa80
-
SHA1
94c7c7c89be2e3c866b81fb352586a70f91414c3
-
SHA256
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2
-
SHA512
d98fbee1d19c46aa8297065b2f7b4690033534d07deb156962f0d42b9d7ad20aca44a1fca1666fd624c2e5f3320e4ab891c519a6d1e057c89b4cd5afecd5279c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ynivawov = "\"C:\\Windows\\wcyhalir.exe\"" explorer.exe -
Processes:
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exedescription pid process target process PID 1016 set thread context of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1364 set thread context of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Windows\wcyhalir.exe explorer.exe File opened for modification C:\Windows\wcyhalir.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 888 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exepid process 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1316 vssvc.exe Token: SeRestorePrivilege 1316 vssvc.exe Token: SeAuditPrivilege 1316 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exeexplorer.exedescription pid process target process PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1016 wrote to memory of 1364 1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe PID 1364 wrote to memory of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe PID 1364 wrote to memory of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe PID 1364 wrote to memory of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe PID 1364 wrote to memory of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe PID 1364 wrote to memory of 1084 1364 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe explorer.exe PID 1084 wrote to memory of 888 1084 explorer.exe vssadmin.exe PID 1084 wrote to memory of 888 1084 explorer.exe vssadmin.exe PID 1084 wrote to memory of 888 1084 explorer.exe vssadmin.exe PID 1084 wrote to memory of 888 1084 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ywynugoxasijikec\01000000Filesize
554KB
MD584f95ae4f57406b842d22518aaf5186a
SHA1ad888ec5dfc94e07914dd31de150bffc64af3ee3
SHA256fd375853a25a1173838b91c665ab8f8650e9695f6ea6549e60e1be26b61410e8
SHA51252648345db13fc987ba39042e449405d0944cd3608eae708dd26b66f433d58f01576ad97f6875f7c28fd091666ebacad674c93cac6ebaae57ca74154a65d21f2
-
memory/888-79-0x0000000000000000-mapping.dmp
-
memory/1016-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1084-69-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1084-80-0x00000000721A1000-0x00000000721A3000-memory.dmpFilesize
8KB
-
memory/1084-78-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1084-75-0x0000000074781000-0x0000000074783000-memory.dmpFilesize
8KB
-
memory/1084-73-0x000000000009A160-mapping.dmp
-
memory/1084-71-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1364-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-65-0x000000000040A61E-mapping.dmp
-
memory/1364-77-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB