Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 13:38
Static task
static1
General
-
Target
takcrowneu2.1.exe
-
Size
884KB
-
MD5
1d21b93f7f98b71f70cf052f70c8bda0
-
SHA1
3a3bea376a76d68311e0046fef8792c52e6025c1
-
SHA256
b78bcdb4ddc36aa5b190fe6fa1e867a1be3c70ba84a9d6caf6117973a3ca5a2f
-
SHA512
edd77182bf7f823d0de28ba5dcd0d20ae6e92818de717385670d253650497cbf35bd85a9c252f1433c2350b1a6d941ffbfe455f99f1db1cd0f717f5f176de613
-
SSDEEP
24576:kNbB3QTZkNiNdjaSEM7j5Kjil50RuBv7/QcSOlj:09ATZkNiNdjaSEM7j5Kji4MhjQcSOlj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yuhlz.exepid process 5080 yuhlz.exe -
Loads dropped DLL 1 IoCs
Processes:
yuhlz.exepid process 1892 yuhlz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
yuhlz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnylvotlea = "C:\\Users\\Admin\\AppData\\Roaming\\wfqru\\rlfiugvdke.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhlz.exe\"" yuhlz.exe -
Processes:
yuhlz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yuhlz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yuhlz.exedescription pid process target process PID 5080 set thread context of 1892 5080 yuhlz.exe yuhlz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1488 5080 WerFault.exe yuhlz.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
yuhlz.exepid process 1892 yuhlz.exe 1892 yuhlz.exe 1892 yuhlz.exe 1892 yuhlz.exe 1892 yuhlz.exe 1892 yuhlz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
yuhlz.exepid process 1892 yuhlz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
yuhlz.exedescription pid process Token: SeDebugPrivilege 1892 yuhlz.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
takcrowneu2.1.exeyuhlz.exedescription pid process target process PID 5008 wrote to memory of 5080 5008 takcrowneu2.1.exe yuhlz.exe PID 5008 wrote to memory of 5080 5008 takcrowneu2.1.exe yuhlz.exe PID 5008 wrote to memory of 5080 5008 takcrowneu2.1.exe yuhlz.exe PID 5080 wrote to memory of 1892 5080 yuhlz.exe yuhlz.exe PID 5080 wrote to memory of 1892 5080 yuhlz.exe yuhlz.exe PID 5080 wrote to memory of 1892 5080 yuhlz.exe yuhlz.exe PID 5080 wrote to memory of 1892 5080 yuhlz.exe yuhlz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\takcrowneu2.1.exe"C:\Users\Admin\AppData\Local\Temp\takcrowneu2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"C:\Users\Admin\AppData\Local\Temp\yuhlz.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 5643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5080 -ip 50801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dclcgtroxoc.sdFilesize
280KB
MD5fd2caf04742669d5011034a902b46f1b
SHA1b3e66b8bdb3cb7a7bc2a4c713d3e0dc6395853ab
SHA256cb4a7a233c6ba428b533bdba4d7e8bc1cb034d336224e477bb5995b42803108d
SHA512319877b7432e7eb2febb318e47aad9809688357e39352f5e2ffb27761acffee2f2275ca6dc89055dcc122fb97d9f75856562a9cbbfa3878da758dfcca7e70261
-
C:\Users\Admin\AppData\Local\Temp\yuhlz.exeFilesize
123KB
MD54ac8ce3af17e0db03c02abd01f9f33f8
SHA13ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b
SHA25607dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7
SHA512655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889
-
C:\Users\Admin\AppData\Local\Temp\yuhlz.exeFilesize
123KB
MD54ac8ce3af17e0db03c02abd01f9f33f8
SHA13ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b
SHA25607dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7
SHA512655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889
-
C:\Users\Admin\AppData\Local\Temp\yuhlz.exeFilesize
123KB
MD54ac8ce3af17e0db03c02abd01f9f33f8
SHA13ca64bd42cc6a62c8bd8909ae6b8e3e6e7e1895b
SHA25607dbcb2e97f0b244f07536acf856bfa122f1a88e36cd660f9ae813c6b8585eb7
SHA512655d804404242aaf58245aaba688da6ded23d3c1b9d658489d0444e71a355419f8873547fc6094a3b11d6f7c66064118402d827ef0690150dcf5445b3ae39889
-
C:\Users\Admin\AppData\Local\Temp\yvmcykf.eFilesize
6KB
MD5213d69cc16a62973d466ca2221b03375
SHA166fe1c42904c396bb13059f790b2fe8f93be009f
SHA25666d7cbb7ae6a2214efca3ae2e0f697d99cd37d0d78ae3c8c35971ad315e40aea
SHA51254def173682c1926d4d6defb602aedec460398be572294ebf6180eca3081b2a8b5cd0a36904af1457681a667af63aa55ed1f4e2fc02170d19d4404276be4a5e3
-
memory/1892-137-0x0000000000000000-mapping.dmp
-
memory/1892-139-0x00000000059A0000-0x0000000005F44000-memory.dmpFilesize
5.6MB
-
memory/1892-140-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/1892-141-0x0000000005530000-0x00000000055CC000-memory.dmpFilesize
624KB
-
memory/1892-142-0x0000000005470000-0x000000000547A000-memory.dmpFilesize
40KB
-
memory/1892-143-0x0000000006EB0000-0x0000000006F16000-memory.dmpFilesize
408KB
-
memory/5080-132-0x0000000000000000-mapping.dmp