8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69

Analysis

max time kernel
87s
max time network
87s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
Size

569KB
MD5

4e66f4af565563d95fe443d36dca93a0
SHA1

81ea30f87ae9e096e8bafeab1affbd5e1c0ba51f
SHA256

8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69
SHA512

d6cdffe8d59a5d752b29446475fb7ec1f79e968898f2ffc5920a44c216d13fb1f1c4040e2951b0825d5574cf2d5b0c3994ecd876dbc7ac7a5bc64c6140982fbf
SSDEEP

12288:L0GRcmZ828Z0Nq5JlozbAMmopzRW92wMU4M:5Rq/Z0Nilozbvm2Rc25LM

Score

9^/10

evasion persistence ransomware upx

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1600	bcdedit.exe
668	bcdedit.exe
948	bcdedit.exe
1532	bcdedit.exe
744	bcdedit.exe
1740	bcdedit.exe
432	bcdedit.exe
1080	bcdedit.exe
1076	bcdedit.exe
664	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\6c2d77.sys	cD02400PhOpN02400.exe

Executes dropped EXE 2 IoCs

pid	Process
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-55-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1820-62-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1520-68-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1716-71-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1820-74-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1716-76-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1716-89-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1716	cD02400PhOpN02400.exe

Loads dropped DLL 3 IoCs

pid	Process
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cD02400PhOpN02400 = "C:\\ProgramData\\cD02400PhOpN02400\\cD02400PhOpN02400.exe"	cD02400PhOpN02400.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
1820	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe
1716	cD02400PhOpN02400.exe
1820	cD02400PhOpN02400.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
Token: SeDebugPrivilege	1820	cD02400PhOpN02400.exe
Token: SeDebugPrivilege	1716	cD02400PhOpN02400.exe
Token: SeShutdownPrivilege	1716	cD02400PhOpN02400.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1820	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	28
PID 1520 wrote to memory of 1820	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	28
PID 1520 wrote to memory of 1820	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	28
PID 1520 wrote to memory of 1820	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	28
PID 1520 wrote to memory of 1716	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	29
PID 1520 wrote to memory of 1716	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	29
PID 1520 wrote to memory of 1716	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	29
PID 1520 wrote to memory of 1716	1520	8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe	29
PID 1716 wrote to memory of 1600	1716	cD02400PhOpN02400.exe	32
PID 1716 wrote to memory of 1600	1716	cD02400PhOpN02400.exe	32
PID 1716 wrote to memory of 1600	1716	cD02400PhOpN02400.exe	32
PID 1716 wrote to memory of 1600	1716	cD02400PhOpN02400.exe	32
PID 1716 wrote to memory of 668	1716	cD02400PhOpN02400.exe	33
PID 1716 wrote to memory of 668	1716	cD02400PhOpN02400.exe	33
PID 1716 wrote to memory of 668	1716	cD02400PhOpN02400.exe	33
PID 1716 wrote to memory of 668	1716	cD02400PhOpN02400.exe	33
PID 1716 wrote to memory of 948	1716	cD02400PhOpN02400.exe	34
PID 1716 wrote to memory of 948	1716	cD02400PhOpN02400.exe	34
PID 1716 wrote to memory of 948	1716	cD02400PhOpN02400.exe	34
PID 1716 wrote to memory of 948	1716	cD02400PhOpN02400.exe	34
PID 1716 wrote to memory of 1532	1716	cD02400PhOpN02400.exe	35
PID 1716 wrote to memory of 1532	1716	cD02400PhOpN02400.exe	35
PID 1716 wrote to memory of 1532	1716	cD02400PhOpN02400.exe	35
PID 1716 wrote to memory of 1532	1716	cD02400PhOpN02400.exe	35
PID 1716 wrote to memory of 744	1716	cD02400PhOpN02400.exe	36
PID 1716 wrote to memory of 744	1716	cD02400PhOpN02400.exe	36
PID 1716 wrote to memory of 744	1716	cD02400PhOpN02400.exe	36
PID 1716 wrote to memory of 744	1716	cD02400PhOpN02400.exe	36
PID 1716 wrote to memory of 1740	1716	cD02400PhOpN02400.exe	37
PID 1716 wrote to memory of 1740	1716	cD02400PhOpN02400.exe	37
PID 1716 wrote to memory of 1740	1716	cD02400PhOpN02400.exe	37
PID 1716 wrote to memory of 1740	1716	cD02400PhOpN02400.exe	37
PID 1716 wrote to memory of 432	1716	cD02400PhOpN02400.exe	39
PID 1716 wrote to memory of 432	1716	cD02400PhOpN02400.exe	39
PID 1716 wrote to memory of 432	1716	cD02400PhOpN02400.exe	39
PID 1716 wrote to memory of 432	1716	cD02400PhOpN02400.exe	39
PID 1716 wrote to memory of 1080	1716	cD02400PhOpN02400.exe	45
PID 1716 wrote to memory of 1080	1716	cD02400PhOpN02400.exe	45
PID 1716 wrote to memory of 1080	1716	cD02400PhOpN02400.exe	45
PID 1716 wrote to memory of 1080	1716	cD02400PhOpN02400.exe	45
PID 1716 wrote to memory of 1076	1716	cD02400PhOpN02400.exe	46
PID 1716 wrote to memory of 1076	1716	cD02400PhOpN02400.exe	46
PID 1716 wrote to memory of 1076	1716	cD02400PhOpN02400.exe	46
PID 1716 wrote to memory of 1076	1716	cD02400PhOpN02400.exe	46
PID 1716 wrote to memory of 664	1716	cD02400PhOpN02400.exe	49
PID 1716 wrote to memory of 664	1716	cD02400PhOpN02400.exe	49
PID 1716 wrote to memory of 664	1716	cD02400PhOpN02400.exe	49
PID 1716 wrote to memory of 664	1716	cD02400PhOpN02400.exe	49

C:\Users\Admin\AppData\Local\Temp\8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe
"C:\Users\Admin\AppData\Local\Temp\8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\ProgramData\cD02400PhOpN02400\cD02400PhOpN02400.exe
  "C:\ProgramData\cD02400PhOpN02400\cD02400PhOpN02400.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\ProgramData\cD02400PhOpN02400\cD02400PhOpN02400.exe
  "C:\ProgramData\cD02400PhOpN02400\cD02400PhOpN02400.exe" "C:\Users\Admin\AppData\Local\Temp\8ebbf4037d4df7fd23f076448d4ca93d61857bf6be6ee4d130fe6c176bb34f69.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1600
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:668
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:948
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1532
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:744
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1740
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:432
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1080
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1076
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:108

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact