ec1989a30dfeb528f9c9835eed237cbba01d1b5f1dca23c9aea532c2bb93297d

Analysis

max time kernel
0s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 13:15

Sharing

Copy URL

Twitter E-mail

Reason

Reading agent response: read tcp 10.127.0.1:36042->10.127.0.30:8000: read: connection reset by peer

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Cidox.exe
Size

88KB
MD5

9ca9ab9961584999750d2589624cc6cc
SHA1

c914b20e9b88bb165270179cabf81da7eaad0771
SHA256

ec1989a30dfeb528f9c9835eed237cbba01d1b5f1dca23c9aea532c2bb93297d
SHA512

c0bc2c7a99593a1111576488f8ec940d194daea37a794f80a1df9dc114ed111aeae5079d6b46728de78caba4dd98be2e9f6c1c333445864887719bc512b850cd
SSDEEP

1536:jAK81LLuoYceJWCS+2HBQY5X4WuH8aC4pgumuJR/dKgQnv1ffA241K7o:kK81LL3AWCKHBQI/ucaCjQJR/djQv1Hc

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tqszfhi.dll	Trojan-Ransom.Win32.Cidox.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1600	Trojan-Ransom.Win32.Cidox.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Cidox.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-57-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/1600-54-0x0000000001000000-0x0000000001017000-memory.dmp

Filesize
92KB

Download
memory/1600-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-56-0x0000000001000000-0x0000000001017000-memory.dmp

Filesize
92KB

Download