Overview

overview

9

Static

static

72a314bf4d...ac.exe

windows7-x64

9

72a314bf4d...ac.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac.exe

  • Size

    462KB

  • MD5

    9790f907d4e8ba245862cecd1a2d1343

  • SHA1

    7b9d53a402cf90729f8becefda6b3de087c14c0d

  • SHA256

    72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac

  • SHA512

    b052b891f60cb75b76331b56ffc2608be58e625a1c88209bf87d664766f922d02afdf3a8f54060c4414d61126c80686da435cc7fb37396c10f9827470bec9462

  • SSDEEP

    12288:sBIETUWRJUHDqee5zicsNNFoAwMV1O8oxZbDKzjIEyjJ:chTUC2tcziceNFE8oPDKHIEyjJ

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac.exe
    "C:\Users\Admin\AppData\Local\Temp\72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac.exe
      "C:\Users\Admin\AppData\Local\Temp\72a314bf4d11e2b688d49677b0e742182bce29d5e0171659b8264985b4a683ac.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:2012
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ehelinavuwuqosys\01000000
    Filesize

    462KB

    MD5

    c3be97a85a5326a83622af248cb1df02

    SHA1

    59625c85ce8e11d03d89cc16fcc8c2a37a65497a

    SHA256

    448b71149db32973c8bbe3ceb00e41c6d652e2176f0f14e93d17414634c18cce

    SHA512

    9c157bd9a85f70c56656426cfb19c2cffce2c48cd2f1b68873c4a6e6a42993cd28dcdd5b467ac38398ff84d556c345203031263fcaf71a249a543062140dfcde

    Download Submit

  • memory/1156-69-0x0000000000080000-0x00000000000BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1156-81-0x0000000000080000-0x00000000000BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1156-80-0x00000000723A1000-0x00000000723A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-78-0x0000000000080000-0x00000000000BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1156-75-0x0000000074801000-0x0000000074803000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-71-0x0000000000080000-0x00000000000BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1460-62-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-68-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-66-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-64-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-61-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-77-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-60-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-58-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1460-55-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1980-54-0x0000000075981000-0x0000000075983000-memory.dmp

    Filesize

    8KB

    Download