Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:55
Static task
static1
Behavioral task
behavioral1
Sample
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
Resource
win10v2004-20220812-en
General
-
Target
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
-
Size
557KB
-
MD5
65c094df3fd52240b1068d843ba91a1f
-
SHA1
bf071072b54701aacd3f303e94350ecce7642a50
-
SHA256
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83
-
SHA512
ffe93848e1594a747226cd12bd58cc848ef1fb0d73e09aaa4b68b1e6901a02a35bd94ee1b324225817e0eb7bb44f7ebc4c78b5de526dc9f68b87829102816964
-
SSDEEP
12288:zzjLu+E49KR7KqKoeW64scN73mvT44t0K7MW/t03FroN/Ai:jLuleKR7KqKoeW641Nrq8mf7MW/t0Jox
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezicecyd = "\"C:\\Windows\\onerhzad.exe\"" explorer.exe -
Processes:
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exedescription pid process target process PID 1112 set thread context of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1420 set thread context of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\onerhzad.exe explorer.exe File created C:\Windows\onerhzad.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1668 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exepid process 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1264 vssvc.exe Token: SeRestorePrivilege 1264 vssvc.exe Token: SeAuditPrivilege 1264 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exeexplorer.exedescription pid process target process PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1112 wrote to memory of 1420 1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe PID 1420 wrote to memory of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe PID 1420 wrote to memory of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe PID 1420 wrote to memory of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe PID 1420 wrote to memory of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe PID 1420 wrote to memory of 1768 1420 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe explorer.exe PID 1768 wrote to memory of 1668 1768 explorer.exe vssadmin.exe PID 1768 wrote to memory of 1668 1768 explorer.exe vssadmin.exe PID 1768 wrote to memory of 1668 1768 explorer.exe vssadmin.exe PID 1768 wrote to memory of 1668 1768 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ycofydacamomuzax\01000000Filesize
557KB
MD54a3dcd4622df780e6f5055ca2a8acdbc
SHA1501b7e53466a9c7b7bd800514cfb169c6316df39
SHA256a7426352878b029a4d36d7c076898c83196911de08d1c4604ef2cdf5cf437369
SHA51243b02a90649512618519fc3025e1da35117d58f66eb468cc03fe92554dc7bb63d872dadbdd6ef07080a819a5f1ae5766e90087f90b1f9e1c8a38e40a548afcbf
-
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1420-65-0x000000000040A61E-mapping.dmp
-
memory/1420-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1420-79-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1668-80-0x0000000000000000-mapping.dmp
-
memory/1768-69-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1768-77-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1768-75-0x0000000074CB1000-0x0000000074CB3000-memory.dmpFilesize
8KB
-
memory/1768-73-0x000000000009A140-mapping.dmp
-
memory/1768-71-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1768-81-0x0000000072851000-0x0000000072853000-memory.dmpFilesize
8KB
-
memory/1768-82-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB