Analysis
-
max time kernel
166s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 20:52
Static task
static1
Behavioral task
behavioral1
Sample
fatura_827180294.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fatura_827180294.exe
Resource
win10v2004-20220812-en
General
-
Target
fatura_827180294.exe
-
Size
733KB
-
MD5
65ea48b4c82f88c7263b9034176e2a8d
-
SHA1
c15ad4d273f16d843c18c7c1ad679638c4fc2381
-
SHA256
faae39367bae706cec58e5a845a530dd7cacc510a530a36f1c96aeffa46987f4
-
SHA512
d281ed14c1327c4c01b0e4fe1da0b15e10660f245fcc3bd695493d38e994f727fa4f104d8a8a8aca94c41ac21479f813537faaa65780f82959daa79789c92dca
-
SSDEEP
12288:NZjLucE4zhEeah7kkvwp5OFwqHRmdzjr/:bLurAhPEdHR0H
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezybahwk = "\"C:\\Windows\\exegasoj.exe\"" explorer.exe -
Processes:
fatura_827180294.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fatura_827180294.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fatura_827180294.exefatura_827180294.exedescription pid process target process PID 1096 set thread context of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1336 set thread context of 964 1336 fatura_827180294.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\exegasoj.exe explorer.exe File created C:\Windows\exegasoj.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1696 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fatura_827180294.exepid process 1096 fatura_827180294.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1720 vssvc.exe Token: SeRestorePrivilege 1720 vssvc.exe Token: SeAuditPrivilege 1720 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fatura_827180294.exefatura_827180294.exeexplorer.exedescription pid process target process PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1096 wrote to memory of 1336 1096 fatura_827180294.exe fatura_827180294.exe PID 1336 wrote to memory of 964 1336 fatura_827180294.exe explorer.exe PID 1336 wrote to memory of 964 1336 fatura_827180294.exe explorer.exe PID 1336 wrote to memory of 964 1336 fatura_827180294.exe explorer.exe PID 1336 wrote to memory of 964 1336 fatura_827180294.exe explorer.exe PID 1336 wrote to memory of 964 1336 fatura_827180294.exe explorer.exe PID 964 wrote to memory of 1696 964 explorer.exe vssadmin.exe PID 964 wrote to memory of 1696 964 explorer.exe vssadmin.exe PID 964 wrote to memory of 1696 964 explorer.exe vssadmin.exe PID 964 wrote to memory of 1696 964 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura_827180294.exe"C:\Users\Admin\AppData\Local\Temp\fatura_827180294.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\fatura_827180294.exe"C:\Users\Admin\AppData\Local\Temp\fatura_827180294.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ycofydacamomuzax\01000000Filesize
733KB
MD505ea890960bf7c7f28c3700dbd6660c9
SHA1f7f1cee5839efa3850e74fc7cee029e677189a6b
SHA2565dc12f5d393cd507847b7cea2b615348f88d6afb710eb796539e1cfb068e46bc
SHA5123c902b3bf6bb4084c2c4d606c97d2e4b695e50f00418a28a2bafd8635393b5d9cfdb02467c1e3d556444573631c7c11a5dfa6b054d37b10867fe0f57e760fb97
-
memory/964-82-0x0000000072CD1000-0x0000000072CD3000-memory.dmpFilesize
8KB
-
memory/964-81-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/964-79-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/964-76-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/964-74-0x000000000009A140-mapping.dmp
-
memory/964-72-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/964-70-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1336-69-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-65-0x000000000040A61E-mapping.dmp
-
memory/1336-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-78-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1336-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1696-80-0x0000000000000000-mapping.dmp