Overview

overview

9

Static

static

4ddcb90086...12.exe

windows7-x64

9

4ddcb90086...12.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    223s
  • max time network
    305s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912.exe

  • Size

    554KB

  • MD5

    a4bb650a27719f16b8f659f330891663

  • SHA1

    cc467e611100b7e6694136e1303aee0f402793b3

  • SHA256

    4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912

  • SHA512

    93bbfc43612aa47a73a1afe598c3a0b8373dddc94e9672582e13824bd5c446b73edbabb60dca0a98fea95786aa98ed595eb5058069338e7e073b229d68ae2e74

  • SSDEEP

    12288:YQjLuRE4xKR72qKoe/ZWsYUxUKQzZZQZsqtOqJ:nLueaKR72qKoe/EhdKYavJ

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912.exe
    "C:\Users\Admin\AppData\Local\Temp\4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Users\Admin\AppData\Local\Temp\4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912.exe
      "C:\Users\Admin\AppData\Local\Temp\4ddcb90086a6e2e9717a35af358fdb9e2cb7a4fdb861dd83b8e1bdff7d14b912.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Modifies Internet Explorer Phishing Filter
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1184
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ywynugoxasijikec\01000000
    Filesize

    554KB

    MD5

    36f188add4e890121ed9e3efe886f5c4

    SHA1

    c9325a3394e9ec421f9a9278b23b71de1d3f181d

    SHA256

    8c5b2bc9dc7e0df60f7a52e6d5022611785d22237636befdfd109e861679cd3d

    SHA512

    0ecf7ec5fbe807d785dbb8f11e5d1828930f4888006d6157490e34e3e8acef423cfa2d15728d319eb1f9da6fca87ae573f545719796559e4daf82da654d4adc1

    Download Submit
  • memory/560-54-0x0000000076D71000-0x0000000076D73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1184-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-69-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-78-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-62-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-64-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-65-0x000000000040A61E-mapping.dmp
    Download
  • memory/1468-66-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-68-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-60-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-55-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-58-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-79-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1468-61-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1520-77-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1520-76-0x0000000075541000-0x0000000075543000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1520-74-0x000000000009A160-mapping.dmp
    Download
  • memory/1520-72-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1520-81-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1520-70-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1520-83-0x0000000072FF1000-0x0000000072FF3000-memory.dmp
    Filesize

    8KB

    Download