Analysis
-
max time kernel
169s -
max time network
185s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
Resource
win10v2004-20220812-en
General
-
Target
3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
-
Size
482KB
-
MD5
eefb361a598211ef2a468017d1a3bb2c
-
SHA1
c51f28a9ceb78a3920a766874dc1b4601f1ba443
-
SHA256
3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3
-
SHA512
c7a5ea8c5da3c19b1c44af93a2914271f3a4833fe788f3875c122014f1f308b8dacfec92504d8db5a5cecaf66d63a74edebbfdfa2cf4df5fdc8866b8657cc76d
-
SSDEEP
6144:kioL4qsxpzE0qcQL/RPsBllXpA0iIOg2OJR7R7XxTD10rNptyEG/62z9bxvoYal3:kDUZbz1X8GvAY0vopR8ZKFVMiYaI
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujefokaf = "C:\\Windows\\ewlnelul.exe" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1988 set thread context of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 480 set thread context of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\ewlnelul.exe explorer.exe File created C:\Windows\ewlnelul.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1320 vssadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1020 vssvc.exe Token: SeRestorePrivilege 1020 vssvc.exe Token: SeAuditPrivilege 1020 vssvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 1988 wrote to memory of 480 1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 28 PID 480 wrote to memory of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 PID 480 wrote to memory of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 PID 480 wrote to memory of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 PID 480 wrote to memory of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 PID 480 wrote to memory of 1756 480 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe 29 PID 1756 wrote to memory of 1320 1756 explorer.exe 30 PID 1756 wrote to memory of 1320 1756 explorer.exe 30 PID 1756 wrote to memory of 1320 1756 explorer.exe 30 PID 1756 wrote to memory of 1320 1756 explorer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1320
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
482KB
MD579f358fe968e8ad028114a697a2b95a4
SHA10c3fbefb1aa0541aed78fd8bd0bc52f981c334e4
SHA256040349407ed756cc9683e33ef4e57e5bf46817c80f69460da3ddb8783af4a8b3
SHA512afd1e4521f3ede3a1401c56622cc81e489ef6f26b0dda446956a9d3ab6ac4a732391cc425c905d767536badc01d942aa6b0d46268cda575bab4b46590faa1247