Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:11
Static task
static1
Behavioral task
behavioral1
Sample
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe
Resource
win10v2004-20220414-en
General
-
Target
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe
-
Size
554KB
-
MD5
11e2eb31409121c02eefab8dbc1a7b46
-
SHA1
0a58b8aa227aaec32d26ef2b6281108d95d4e255
-
SHA256
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1
-
SHA512
e6a5565b73d22cbe46547dc5cf79c4e6d46b43d1f5c687bd84236916c856d2173970da83b013bcabe830eb58aaac2d4821a785aea166933eba1ad1ab8a90d332
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ohumaren = "\"C:\\Windows\\ohuwozub.exe\"" explorer.exe -
Processes:
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exedescription pid process target process PID 824 set thread context of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 1456 set thread context of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ohuwozub.exe explorer.exe File created C:\Windows\ohuwozub.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 468 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exepid process 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1724 vssvc.exe Token: SeRestorePrivilege 1724 vssvc.exe Token: SeAuditPrivilege 1724 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exeexplorer.exedescription pid process target process PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 824 wrote to memory of 1456 824 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe PID 1456 wrote to memory of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe PID 1456 wrote to memory of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe PID 1456 wrote to memory of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe PID 1456 wrote to memory of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe PID 1456 wrote to memory of 1784 1456 8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe explorer.exe PID 1784 wrote to memory of 468 1784 explorer.exe vssadmin.exe PID 1784 wrote to memory of 468 1784 explorer.exe vssadmin.exe PID 1784 wrote to memory of 468 1784 explorer.exe vssadmin.exe PID 1784 wrote to memory of 468 1784 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:468
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ywynugoxasijikec\01000000Filesize
554KB
MD56fc8b82e0a6b3eb49c080e6405fbef18
SHA1f60e963a696bbe07c5c43c137ea31f381fe7b69c
SHA256b90181a96b587d485d1b4138c02c023508e9cda12f4823cdf90a9105aa36604a
SHA51261773b4b32729001ac45fd1e0f93c032da45b91591bd3834ca2f2064fb9c30f5799c0aeedffd1f6bb02c599ff404c08afa50ee89040ab0589ea8c96dcbdaa29d
-
memory/468-79-0x0000000000000000-mapping.dmp
-
memory/824-54-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/1456-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-65-0x000000000040A61E-mapping.dmp
-
memory/1456-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1784-69-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/1784-75-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/1784-73-0x00000000000DA160-mapping.dmp
-
memory/1784-78-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/1784-71-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/1784-80-0x0000000072EA1000-0x0000000072EA3000-memory.dmpFilesize
8KB