Overview

overview

9

Static

static

8875763198...f2.exe

windows7-x64

8875763198...f2.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:45

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe

  • Size

    706KB

  • MD5

    d5ae8a95a74e4e6c37e21ba2a4eefb09

  • SHA1

    c41fbff4e3639b2563eeb97f9a90d357a26d665c

  • SHA256

    88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2

  • SHA512

    a1c080195281c3b7cc6cd34cd07c1471c7abf9980b0f6b51f181bbea9055d1209c52cd46c201a365079a191c2ad9bc64907509bdcd1cc06201c6910fbadd1d71

  • SSDEEP

    12288:vdNxMB4UKc/WL6Ls5K0NGi5n6hft0TxssvHMpssp:LxDs/ZSG/feGsvHCr

Score
9/10
evasionpersistenceransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
    "C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe
      "C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1724
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1748
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1736
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:892
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1828
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:780
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1976
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1888
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1072
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTP85E7.bat"
      2⤵
      • Deletes itself
      PID:1980
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1180
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1120
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "1337266008-137890683116212770901229295055834978131899851223-1336191529-856981535"
          1⤵
            PID:2012
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:872
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:1524

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\MTP85E7.bat
                Filesize

                278B

                MD5

                29a2d840ad4335cc326095bb2bf0cb87

                SHA1

                a745875729ce3e5f10fa09806821be6cdcfa181d

                SHA256

                29997356cfe76b3a068f4a3861369afe022b4776eb99103c453b51a1da5c559a

                SHA512

                2ac244839ec6484987799129badc18660f47e54a76dcd604de08db03f962468a236dc8bba6271e23ab9fd123dc2f44c7634975da6eb7fb23a9bb4c11763889a5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe
                Filesize

                706KB

                MD5

                6b1ffc7b412b4bd5ad0e9f96cc4dd187

                SHA1

                04fd1ab619223e054dcaa3f1ae0d2e6bf43da575

                SHA256

                492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e

                SHA512

                75717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Sajy\idug.exe
                Filesize

                706KB

                MD5

                6b1ffc7b412b4bd5ad0e9f96cc4dd187

                SHA1

                04fd1ab619223e054dcaa3f1ae0d2e6bf43da575

                SHA256

                492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e

                SHA512

                75717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e

                Download Submit

              • \Users\Admin\AppData\Local\Temp\Sajy\idug.exe
                Filesize

                706KB

                MD5

                6b1ffc7b412b4bd5ad0e9f96cc4dd187

                SHA1

                04fd1ab619223e054dcaa3f1ae0d2e6bf43da575

                SHA256

                492e0a85b3159d3b8c05c8726ae542fb079d710dd303606f2d6111c108e6b81e

                SHA512

                75717088bf90f1a03619ff7ce1dc6ddb412c8c54ad97a0d128f714620a4965101530e01e095dbc791df0f6c0ce79307790dee39abf90c4be44fd17ebda9cca3e

                Download Submit

              • memory/780-71-0x0000000000000000-mapping.dmp

                Download

              • memory/872-131-0x000007FEFB861000-0x000007FEFB863000-memory.dmp

                Filesize

                8KB

                Download

              • memory/892-68-0x0000000000000000-mapping.dmp

                Download

              • memory/1072-73-0x0000000000000000-mapping.dmp

                Download

              • memory/1092-72-0x0000000000000000-mapping.dmp

                Download

              • memory/1120-77-0x0000000001E90000-0x0000000001EF9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1120-75-0x0000000001E90000-0x0000000001EF9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1120-80-0x0000000001E90000-0x0000000001EF9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1120-79-0x0000000001E90000-0x0000000001EF9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1120-78-0x0000000001E90000-0x0000000001EF9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1180-86-0x00000000001A0000-0x0000000000209000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1180-83-0x00000000001A0000-0x0000000000209000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1180-84-0x00000000001A0000-0x0000000000209000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1180-85-0x00000000001A0000-0x0000000000209000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1252-91-0x0000000003E10000-0x0000000003E79000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1252-89-0x0000000003E10000-0x0000000003E79000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1252-92-0x0000000003E10000-0x0000000003E79000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1252-90-0x0000000003E10000-0x0000000003E79000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1280-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-105-0x00000000002B0000-0x0000000000319000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1280-55-0x0000000074C41000-0x0000000074C43000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1280-56-0x00000000004C0000-0x0000000000578000-memory.dmp

                Filesize

                736KB

                Download

              • memory/1280-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-54-0x00000000004C0000-0x0000000000578000-memory.dmp

                Filesize

                736KB

                Download

              • memory/1280-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1280-95-0x00000000002B0000-0x0000000000319000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1280-96-0x00000000002B0000-0x0000000000319000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1280-97-0x00000000002B0000-0x0000000000319000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1280-98-0x00000000002B0000-0x0000000000319000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1724-65-0x0000000000000000-mapping.dmp

                Download

              • memory/1736-67-0x0000000000000000-mapping.dmp

                Download

              • memory/1748-66-0x0000000000000000-mapping.dmp

                Download

              • memory/1828-69-0x0000000000000000-mapping.dmp

                Download

              • memory/1888-74-0x0000000000000000-mapping.dmp

                Download

              • memory/1976-70-0x0000000000000000-mapping.dmp

                Download

              • memory/1980-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-111-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1980-110-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1980-112-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1980-123-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1980-114-0x000000000008387C-mapping.dmp

                Download

              • memory/1980-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-122-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1980-108-0x0000000000050000-0x00000000000B9000-memory.dmp

                Filesize

                420KB

                Download

              • memory/1980-121-0x000000006FFF0000-0x0000000070000000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2012-126-0x00000000001D0000-0x0000000000239000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2012-127-0x00000000001D0000-0x0000000000239000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2012-128-0x00000000001D0000-0x0000000000239000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2012-129-0x00000000001D0000-0x0000000000239000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2040-64-0x0000000000350000-0x0000000000356000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2040-113-0x0000000000350000-0x0000000000356000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2040-58-0x0000000000000000-mapping.dmp

                Download

              • memory/2040-62-0x0000000001D00000-0x0000000001DB8000-memory.dmp

                Filesize

                736KB

                Download