Overview

overview

9

Static

static

8dce9befaa...d1.exe

windows7_x64

9

8dce9befaa...d1.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe

  • Size

    554KB

  • MD5

    11e2eb31409121c02eefab8dbc1a7b46

  • SHA1

    0a58b8aa227aaec32d26ef2b6281108d95d4e255

  • SHA256

    8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1

  • SHA512

    e6a5565b73d22cbe46547dc5cf79c4e6d46b43d1f5c687bd84236916c856d2173970da83b013bcabe830eb58aaac2d4821a785aea166933eba1ad1ab8a90d332

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe
    "C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe
      "C:\Users\Admin\AppData\Local\Temp\8dce9befaa51ee919dc115772ad0b02e21612a0ccd3170e1343d006ded547bd1.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Modifies Internet Explorer Phishing Filter
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:468
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ywynugoxasijikec\01000000
    Filesize

    554KB

    MD5

    6fc8b82e0a6b3eb49c080e6405fbef18

    SHA1

    f60e963a696bbe07c5c43c137ea31f381fe7b69c

    SHA256

    b90181a96b587d485d1b4138c02c023508e9cda12f4823cdf90a9105aa36604a

    SHA512

    61773b4b32729001ac45fd1e0f93c032da45b91591bd3834ca2f2064fb9c30f5799c0aeedffd1f6bb02c599ff404c08afa50ee89040ab0589ea8c96dcbdaa29d

    Download Submit
  • memory/468-79-0x0000000000000000-mapping.dmp
    Download
  • memory/824-54-0x0000000075741000-0x0000000075743000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-66-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-76-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-58-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-55-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-65-0x000000000040A61E-mapping.dmp
    Download
  • memory/1456-61-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-68-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-60-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-64-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-62-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1784-69-0x00000000000C0000-0x00000000000FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1784-75-0x00000000753F1000-0x00000000753F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1784-73-0x00000000000DA160-mapping.dmp
    Download
  • memory/1784-78-0x00000000000C0000-0x00000000000FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1784-71-0x00000000000C0000-0x00000000000FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1784-80-0x0000000072EA1000-0x0000000072EA3000-memory.dmp
    Filesize

    8KB

    Download