7e474aa4807dac09934146459ef8ebd777b23124505f5de4db9ec22650ab0adf

Analysis

max time kernel
0s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 12:12

Sharing

Copy URL

Twitter E-mail

Reason

Reading agent response: read tcp 10.127.0.1:53254->10.127.0.33:8000: read: connection reset by peer

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Cidox.exe
Size

96KB
MD5

0888ece614f4b177b6375c1b0d97d8e8
SHA1

d1d7d9e22236228335f8badce3edc6984ef788ee
SHA256

7e474aa4807dac09934146459ef8ebd777b23124505f5de4db9ec22650ab0adf
SHA512

a1bc4e1338611d14f7513e164c62cf94c339eacf2adc970bb7897f6597714ad40a683ccc1d0d9c2e621ae0d0978a2362b15c4837d3d613796114af48b7dee676
SSDEEP

1536:9WPBQBlurUcbMXRrIQADQfOMEn03daQrA94jEMOC+y6nfULa8b1xo5:9WPqBUdMXVILQfIn03d/A94AMEnstJxS

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ifhiike.dll	Trojan-Ransom.Win32.Cidox.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1600	Trojan-Ransom.Win32.Cidox.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-56-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1600-54-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/1600-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download