Overview

overview

9

Static

static

aa8b46427e...a4.exe

windows7-x64

aa8b46427e...a4.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    76s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2022 02:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    aa8b46427e37969fcca8db8667c0c7f63276467a70dc739d1c5391fd2c3bc3a4.exe

  • Size

    471KB

  • MD5

    86d1807600b289f064bae30005145b5d

  • SHA1

    265e5ac12e7348a804f72857393a5b13e5843173

  • SHA256

    aa8b46427e37969fcca8db8667c0c7f63276467a70dc739d1c5391fd2c3bc3a4

  • SHA512

    c740c534a84c90489b6de2178ccdbe06adc957c2d6759e20de10ad7b00b795aefdbd3321e162c6b6cbff8064911101f3b9fe65665256290a1360660b27f65fe2

  • SSDEEP

    12288:zTloC1bARFKPLDt0/Fon3Tst8B6rOSKED:zTJAnWXt0/G3TstG6r9V

Score
9/10
evasionpersistenceransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\aa8b46427e37969fcca8db8667c0c7f63276467a70dc739d1c5391fd2c3bc3a4.exe
        "C:\Users\Admin\AppData\Local\Temp\aa8b46427e37969fcca8db8667c0c7f63276467a70dc739d1c5391fd2c3bc3a4.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe
          "C:\Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1988
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2000
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1944
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1692
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1440
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1468
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1404
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1668
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1252
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe -set TESTSIGNING ON
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGV44EB.bat"
          3⤵
          • Deletes itself
          PID:2040
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1100
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:856
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:1524

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\TGV44EB.bat
              Filesize

              278B

              MD5

              e87b9a9daf93c54ca32305a5f1ef2959

              SHA1

              a4f0455f648e1c645c76ae99f5b3dbb7a2e65237

              SHA256

              bfc5089a2fbfd828d8996b9c3e7189df41001c80e3d25ccb90d099116f2a7722

              SHA512

              de3fbfc3e6a099a3dceeae8fa20f8da2ccb456a3fc15557eb83094fcdd6a6584629e7ba8593597cc3cedc32379c5d1bf5faf2f29fe32657b180b1bf567007caf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe
              Filesize

              471KB

              MD5

              05b58568b9b5ad7ab652492c7b1714f1

              SHA1

              b32411d16d9e3843817cf725f21ffa0042773199

              SHA256

              2482bc4b2e73e1b03c09f05872e567473706f9c854c74c07595043679eed0e19

              SHA512

              1d03efea4bd71ee2f9b09f51619cf617d19a4a3a181564968e67b935490a32c351a3ea3a150ab4daeb4d5797398d28ab31f4b400a82143f529c3c25218999daf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe
              Filesize

              471KB

              MD5

              05b58568b9b5ad7ab652492c7b1714f1

              SHA1

              b32411d16d9e3843817cf725f21ffa0042773199

              SHA256

              2482bc4b2e73e1b03c09f05872e567473706f9c854c74c07595043679eed0e19

              SHA512

              1d03efea4bd71ee2f9b09f51619cf617d19a4a3a181564968e67b935490a32c351a3ea3a150ab4daeb4d5797398d28ab31f4b400a82143f529c3c25218999daf

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe
              Filesize

              471KB

              MD5

              05b58568b9b5ad7ab652492c7b1714f1

              SHA1

              b32411d16d9e3843817cf725f21ffa0042773199

              SHA256

              2482bc4b2e73e1b03c09f05872e567473706f9c854c74c07595043679eed0e19

              SHA512

              1d03efea4bd71ee2f9b09f51619cf617d19a4a3a181564968e67b935490a32c351a3ea3a150ab4daeb4d5797398d28ab31f4b400a82143f529c3c25218999daf

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Ywohpa\kuedu.exe
              Filesize

              471KB

              MD5

              05b58568b9b5ad7ab652492c7b1714f1

              SHA1

              b32411d16d9e3843817cf725f21ffa0042773199

              SHA256

              2482bc4b2e73e1b03c09f05872e567473706f9c854c74c07595043679eed0e19

              SHA512

              1d03efea4bd71ee2f9b09f51619cf617d19a4a3a181564968e67b935490a32c351a3ea3a150ab4daeb4d5797398d28ab31f4b400a82143f529c3c25218999daf

              Download Submit

            • memory/856-127-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1044-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-61-0x0000000000240000-0x0000000000284000-memory.dmp

              Filesize

              272KB

              Download

            • memory/1044-115-0x0000000002350000-0x00000000023BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1044-114-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1044-112-0x0000000002350000-0x00000000023C8000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1044-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1044-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-98-0x0000000002350000-0x00000000023BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1044-62-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1044-97-0x0000000002350000-0x00000000023BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1044-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1044-95-0x0000000002350000-0x00000000023BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1044-96-0x0000000002350000-0x00000000023BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1100-78-0x0000000001FA0000-0x000000000200E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1100-79-0x0000000001FA0000-0x000000000200E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1100-80-0x0000000001FA0000-0x000000000200E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1100-77-0x0000000001FA0000-0x000000000200E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1100-75-0x0000000001FA0000-0x000000000200E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1172-85-0x0000000001DE0000-0x0000000001E4E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1172-86-0x0000000001DE0000-0x0000000001E4E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1172-84-0x0000000001DE0000-0x0000000001E4E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1172-83-0x0000000001DE0000-0x0000000001E4E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1200-89-0x0000000002960000-0x00000000029CE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1200-90-0x0000000002960000-0x00000000029CE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1200-91-0x0000000002960000-0x00000000029CE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1200-92-0x0000000002960000-0x00000000029CE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1528-128-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1528-126-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1528-63-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1528-74-0x0000000000350000-0x0000000000356000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2040-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-122-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-111-0x0000000000050000-0x00000000000BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2040-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-121-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-123-0x000000006FFF0000-0x0000000070000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2040-110-0x0000000000050000-0x00000000000BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2040-125-0x0000000000050000-0x00000000000BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2040-109-0x0000000000050000-0x00000000000BE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2040-107-0x0000000000050000-0x00000000000BE000-memory.dmp

              Filesize

              440KB

              Download