Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
Resource
win10v2004-20220812-en
General
-
Target
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
-
Size
288KB
-
MD5
508136766c7ea2f26ef44ffd81a63bcb
-
SHA1
0f7fefc95164729f34722fee9b752627b3236209
-
SHA256
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d
-
SHA512
d72736c719264a10b77f33953bb171cdf390ac624d3acfef4da401cd3f711606f43a245ab8e89c5c98512339f8d5002bfb51c3594ca364146cf83215a6f96a82
-
SSDEEP
6144:Bo/sqyUU6zRcHhF4gXfA7kqtcYngjtlycJey498lY:Bqsq9U6zRcHMgvA7dtcagCHy498lY
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts explorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upzhexim = "C:\\Windows\\ohiffzew.exe" explorer.exe -
Processes:
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.execd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exedescription pid process target process PID 1768 set thread context of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1332 set thread context of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ohiffzew.exe explorer.exe File created C:\Windows\ohiffzew.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 560 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exepid process 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1880 vssvc.exe Token: SeRestorePrivilege 1880 vssvc.exe Token: SeAuditPrivilege 1880 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exepid process 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.execd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exeexplorer.exedescription pid process target process PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1768 wrote to memory of 1332 1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe PID 1332 wrote to memory of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe PID 1332 wrote to memory of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe PID 1332 wrote to memory of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe PID 1332 wrote to memory of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe PID 1332 wrote to memory of 1168 1332 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe explorer.exe PID 1168 wrote to memory of 560 1168 explorer.exe vssadmin.exe PID 1168 wrote to memory of 560 1168 explorer.exe vssadmin.exe PID 1168 wrote to memory of 560 1168 explorer.exe vssadmin.exe PID 1168 wrote to memory of 560 1168 explorer.exe vssadmin.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe"C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exeC:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uxyjomoreradapof\01000000Filesize
288KB
MD537775c42b1390dab3cf9319f435ae042
SHA1624048eb8c7549520ae7a59eba82f946ca299e8f
SHA25621dc4258d72c363c39fa8e2cc95a79f6e73b7c13f8fd3264bc2d15568c4aaaa3
SHA512e361af595c405d041f3e60c00d4ba163abba570bea22a21ec7938ccbb10f88775d850521a79a29b3d3ec8c3e98878d80fc40a998850c6330143bb882913d5633
-
memory/560-81-0x0000000000000000-mapping.dmp
-
memory/1168-71-0x00000000000D0000-0x000000000010D000-memory.dmpFilesize
244KB
-
memory/1168-83-0x00000000000D0000-0x000000000010D000-memory.dmpFilesize
244KB
-
memory/1168-82-0x00000000721B1000-0x00000000721B3000-memory.dmpFilesize
8KB
-
memory/1168-80-0x00000000000D0000-0x000000000010D000-memory.dmpFilesize
244KB
-
memory/1168-77-0x0000000074701000-0x0000000074703000-memory.dmpFilesize
8KB
-
memory/1168-75-0x00000000000EADA0-mapping.dmp
-
memory/1168-73-0x00000000000D0000-0x000000000010D000-memory.dmpFilesize
244KB
-
memory/1332-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-70-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-66-0x000000000040A78E-mapping.dmp
-
memory/1332-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-79-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-57-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1332-56-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1768-67-0x0000000000300000-0x0000000000304000-memory.dmpFilesize
16KB
-
memory/1768-54-0x0000000000220000-0x00000000002CC000-memory.dmpFilesize
688KB
-
memory/1768-55-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB