Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe
Resource
win10v2004-20220414-en
General
-
Target
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe
-
Size
554KB
-
MD5
5d5a21b34a60312dd1b185c7c3ccc8ac
-
SHA1
bf9d372b7dc50807b9dddc69aa1c3d4c36d91ed3
-
SHA256
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5
-
SHA512
d423e47189df4c837b4e28315bed2a7ece63b985f995db829dd0fff8e3ea76ecda5d08265b1aa1f91c6566905ad632f461a2076c92db2affb7be1204af57e83b
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqahisum = "\"C:\\Windows\\advsuryf.exe\"" explorer.exe -
Processes:
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exeada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exedescription pid process target process PID 1516 set thread context of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 288 set thread context of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\advsuryf.exe explorer.exe File created C:\Windows\advsuryf.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1956 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exepid process 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 580 vssvc.exe Token: SeRestorePrivilege 580 vssvc.exe Token: SeAuditPrivilege 580 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exeada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exeexplorer.exedescription pid process target process PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 1516 wrote to memory of 288 1516 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe PID 288 wrote to memory of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe PID 288 wrote to memory of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe PID 288 wrote to memory of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe PID 288 wrote to memory of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe PID 288 wrote to memory of 968 288 ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe explorer.exe PID 968 wrote to memory of 1956 968 explorer.exe vssadmin.exe PID 968 wrote to memory of 1956 968 explorer.exe vssadmin.exe PID 968 wrote to memory of 1956 968 explorer.exe vssadmin.exe PID 968 wrote to memory of 1956 968 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe"C:\Users\Admin\AppData\Local\Temp\ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe"C:\Users\Admin\AppData\Local\Temp\ada5bc7937720a985b47a2e1ec53034b0f6d37ea0d5c01d551d871980804bce5.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1956
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ywynugoxasijikec\01000000Filesize
554KB
MD5f84960df38ee56c00c78e2a17c1852de
SHA176ed4eea76bfc1f98520832065aa14cdffc60cb7
SHA2562ad86f451e6ac3cce46536a987238e5888fb0243e868ee78e65708185547e69a
SHA512049f4a7c3b00963148a79d4c6b06ebf2d39b6d29e77c7e4f5b6671cc224da4a78be98c7e0bc70c30545822e944f07cd2a2de2701304dc966bbe356a1953660fb
-
memory/288-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-65-0x000000000040A61E-mapping.dmp
-
memory/288-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-77-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/288-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/968-80-0x00000000722A1000-0x00000000722A3000-memory.dmpFilesize
8KB
-
memory/968-73-0x000000000009A160-mapping.dmp
-
memory/968-75-0x00000000746F1000-0x00000000746F3000-memory.dmpFilesize
8KB
-
memory/968-71-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/968-78-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/968-69-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1956-79-0x0000000000000000-mapping.dmp