Overview

overview

9

Static

static

cf0eed4a77...e1.exe

windows7-x64

9

cf0eed4a77...e1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    104s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe

  • Size

    503KB

  • MD5

    aaf1572112e467c4667ab84bcdee33b2

  • SHA1

    a1b4610140a1901995bedacb82ac1392d0890067

  • SHA256

    cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1

  • SHA512

    3f86ed1eb5a123a93c789c6165784f92ddd389ff680e3b0d96a0d334e31650c7bf21bd2dd973c697446d83d02427aea729574a61e80ac787e574eef4d958b0c9

  • SSDEEP

    12288:mN7OjRhWIqHcFED5g3GrkppAkpmRhW3J8lBhZLTt2:eOllqHcCF2IHWZ8ltLTt2

Score
9/10
evasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1336
      • C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
        "C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
          "C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe
            "C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe
              "C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe"
              5⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1476
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1836
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1964
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:436
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1072
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1124
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1696
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:980
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1224
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1804
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe -set TESTSIGNING ON
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1352
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DBZ2852.bat"
            4⤵
            • Deletes itself
            PID:1856
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1252
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1152
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:1228
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:1856

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            1
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DBZ2852.bat
              Filesize

              303B

              MD5

              b0385ad99f59f5c02a4cbfc14e6c8a57

              SHA1

              1a150b288dae39d7f86cb580d1199eee8e5781b2

              SHA256

              e6ff5473e4f72541d84c5fc3cb3ae1460e38b4224e0feabec6c3b7564fe91e4c

              SHA512

              b965d4ead87a8f861f192436489526ffc906f61b921f8f2a27849914c02282c246c506eb7498cf3fa5c061935d0bb17a3dc38c89856ae1867bd7fc2643e5566f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe
              Filesize

              503KB

              MD5

              1de3c30d14a26fa2f1689e682667eae7

              SHA1

              902b52018eb457ab8be1fb754538747cd495495e

              SHA256

              cccc52741f2718e0bee909eb598683b3ee7f842579fdca95918e03f111610c97

              SHA512

              6035d9289070317d251728eb8341109213b0c7532b087e3fedbdf4294e34f81c55348c12f49564a04557178d0eb05d94a1d663e6572f86228012b06383cd1885

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe
              Filesize

              503KB

              MD5

              1de3c30d14a26fa2f1689e682667eae7

              SHA1

              902b52018eb457ab8be1fb754538747cd495495e

              SHA256

              cccc52741f2718e0bee909eb598683b3ee7f842579fdca95918e03f111610c97

              SHA512

              6035d9289070317d251728eb8341109213b0c7532b087e3fedbdf4294e34f81c55348c12f49564a04557178d0eb05d94a1d663e6572f86228012b06383cd1885

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Itxyn\duig.exe
              Filesize

              503KB

              MD5

              1de3c30d14a26fa2f1689e682667eae7

              SHA1

              902b52018eb457ab8be1fb754538747cd495495e

              SHA256

              cccc52741f2718e0bee909eb598683b3ee7f842579fdca95918e03f111610c97

              SHA512

              6035d9289070317d251728eb8341109213b0c7532b087e3fedbdf4294e34f81c55348c12f49564a04557178d0eb05d94a1d663e6572f86228012b06383cd1885

              Download Submit
            • \Users\Admin\AppData\Roaming\Itxyn\duig.exe
              Filesize

              503KB

              MD5

              1de3c30d14a26fa2f1689e682667eae7

              SHA1

              902b52018eb457ab8be1fb754538747cd495495e

              SHA256

              cccc52741f2718e0bee909eb598683b3ee7f842579fdca95918e03f111610c97

              SHA512

              6035d9289070317d251728eb8341109213b0c7532b087e3fedbdf4294e34f81c55348c12f49564a04557178d0eb05d94a1d663e6572f86228012b06383cd1885

              Download Submit
            • \Users\Admin\AppData\Roaming\Itxyn\duig.exe
              Filesize

              503KB

              MD5

              1de3c30d14a26fa2f1689e682667eae7

              SHA1

              902b52018eb457ab8be1fb754538747cd495495e

              SHA256

              cccc52741f2718e0bee909eb598683b3ee7f842579fdca95918e03f111610c97

              SHA512

              6035d9289070317d251728eb8341109213b0c7532b087e3fedbdf4294e34f81c55348c12f49564a04557178d0eb05d94a1d663e6572f86228012b06383cd1885

              Download Submit
            • memory/436-106-0x0000000000000000-mapping.dmp
              Download
            • memory/980-101-0x0000000000000000-mapping.dmp
              Download
            • memory/1072-105-0x0000000000000000-mapping.dmp
              Download
            • memory/1124-104-0x0000000000000000-mapping.dmp
              Download
            • memory/1152-114-0x0000000000310000-0x000000000037D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1152-116-0x0000000000310000-0x000000000037D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1152-113-0x0000000000310000-0x000000000037D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1152-115-0x0000000000310000-0x000000000037D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1224-108-0x0000000000000000-mapping.dmp
              Download
            • memory/1228-129-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1252-119-0x0000000001BA0000-0x0000000001C0D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1252-121-0x0000000001BA0000-0x0000000001C0D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1252-122-0x0000000001BA0000-0x0000000001C0D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1252-120-0x0000000001BA0000-0x0000000001C0D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1336-125-0x0000000002A00000-0x0000000002A6D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1336-126-0x0000000002A00000-0x0000000002A6D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1336-127-0x0000000002A00000-0x0000000002A6D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1336-128-0x0000000002A00000-0x0000000002A6D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-98-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-73-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-56-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-57-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-59-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-60-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-62-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-95-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-64-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-65-0x0000000000444953-mapping.dmp
              Download
            • memory/1348-67-0x0000000075C31000-0x0000000075C33000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1348-68-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-69-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-70-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-71-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1348-72-0x0000000000270000-0x0000000000276000-memory.dmp
              Filesize

              24KB

              Download
            • memory/1352-109-0x0000000000000000-mapping.dmp
              Download
            • memory/1476-110-0x00000000003F0000-0x00000000003F6000-memory.dmp
              Filesize

              24KB

              Download
            • memory/1476-90-0x0000000000444953-mapping.dmp
              Download
            • memory/1476-96-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1476-130-0x0000000000400000-0x000000000046D000-memory.dmp
              Filesize

              436KB

              Download
            • memory/1656-76-0x0000000000000000-mapping.dmp
              Download
            • memory/1696-102-0x0000000000000000-mapping.dmp
              Download
            • memory/1804-107-0x0000000000000000-mapping.dmp
              Download
            • memory/1836-100-0x0000000000000000-mapping.dmp
              Download
            • memory/1856-97-0x0000000000000000-mapping.dmp
              Download
            • memory/1964-103-0x0000000000000000-mapping.dmp
              Download