Analysis
-
max time kernel
152s -
max time network
210s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Info.Pdf____________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Info.Pdf____________________________________________________________.exe
Resource
win10v2004-20221111-en
General
-
Target
Info.Pdf____________________________________________________________.exe
-
Size
494KB
-
MD5
cb607388d6b05dcf0d77fd06f563511d
-
SHA1
85717a638f5a3cc62b2f5e25897fcee997f35070
-
SHA256
8a375f861957b7effcda03ba43720d5bc14eeea97a33475a78b904714283d04e
-
SHA512
3bc8cd97bad6c38711eb67ff88b7cc158d991677a0a07d3efb73837d43eaa7bdbd7fb96d2f5a225f5a4fc39cc1aa2a2c6cd4091d201da79cb7be98fd459c246a
-
SSDEEP
6144:+7imLFJzjEIl1qcQL7twzWuWFyvgI/EhlRlI8tEUauf+zT3:6RljEIXZ6uaUgF3RllT+zT3
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts explorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewufldom = "C:\\Windows\\uchroxat.exe" explorer.exe -
Processes:
Info.Pdf____________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Info.Pdf____________________________________________________________.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Info.Pdf____________________________________________________________.exeInfo.Pdf____________________________________________________________.exedescription pid process target process PID 2044 set thread context of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 1004 set thread context of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\uchroxat.exe explorer.exe File created C:\Windows\uchroxat.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1128 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1752 vssvc.exe Token: SeRestorePrivilege 1752 vssvc.exe Token: SeAuditPrivilege 1752 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Info.Pdf____________________________________________________________.exeInfo.Pdf____________________________________________________________.exeexplorer.exedescription pid process target process PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 2044 wrote to memory of 1004 2044 Info.Pdf____________________________________________________________.exe Info.Pdf____________________________________________________________.exe PID 1004 wrote to memory of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe PID 1004 wrote to memory of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe PID 1004 wrote to memory of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe PID 1004 wrote to memory of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe PID 1004 wrote to memory of 468 1004 Info.Pdf____________________________________________________________.exe explorer.exe PID 468 wrote to memory of 1128 468 explorer.exe vssadmin.exe PID 468 wrote to memory of 1128 468 explorer.exe vssadmin.exe PID 468 wrote to memory of 1128 468 explorer.exe vssadmin.exe PID 468 wrote to memory of 1128 468 explorer.exe vssadmin.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\oziqemegewypyvuh\01000000Filesize
494KB
MD539390d06e7c0d6dfe7cbcc09a55a1bb9
SHA106f4970c9efb79ac2abe88c58490badc7d97eab6
SHA256735a519597741e99592413611fa50b559ca46e1e386a50239061dc667b272896
SHA51214e41f2c67c62fd620d3e01578a2f078e26d361290df87004d6bee2cb5363b3f955c7256ee53cec550188b61d9805fe4b5fe9d590c2ebbbf47ade68dbdc177e6
-
memory/468-71-0x0000000000080000-0x00000000000BE000-memory.dmpFilesize
248KB
-
memory/468-83-0x0000000000080000-0x00000000000BE000-memory.dmpFilesize
248KB
-
memory/468-82-0x0000000072B51000-0x0000000072B53000-memory.dmpFilesize
8KB
-
memory/468-80-0x0000000000080000-0x00000000000BE000-memory.dmpFilesize
248KB
-
memory/468-77-0x0000000074FA1000-0x0000000074FA3000-memory.dmpFilesize
8KB
-
memory/468-75-0x000000000009BE80-mapping.dmp
-
memory/468-73-0x0000000000080000-0x00000000000BE000-memory.dmpFilesize
248KB
-
memory/1004-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-65-0x000000000040B4D3-mapping.dmp
-
memory/1004-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-55-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-79-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1128-81-0x0000000000000000-mapping.dmp
-
memory/2044-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB