Analysis
-
max time kernel
281s -
max time network
347s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:44
Static task
static1
Behavioral task
behavioral1
Sample
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
Resource
win10v2004-20221111-en
General
-
Target
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
-
Size
446KB
-
MD5
11ff8a8e9a643deff1dcf58e7e2fdf20
-
SHA1
40b1d84b341bae23dc5cfa8dd1c44cf96294cd54
-
SHA256
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490
-
SHA512
29499106387047744693da395da8aeb695933579f7b1f5dd23613059591215ca60be4021286c04cacf5c02e5726ab28fe2ed15b0a9b6c12571b88532eec156f1
-
SSDEEP
12288:/uPIb4kzPgkrw1k2Fr8+o/tH18wtuomhUqlDykX:SItUkrQ5Fr6/n82yblmg
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lradawop = "C:\\Windows\\ehixoniz.exe" explorer.exe -
Processes:
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exedescription pid process target process PID 3156 set thread context of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3544 set thread context of 1064 3544 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Windows\ehixoniz.exe explorer.exe File opened for modification C:\Windows\ehixoniz.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1900 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exeexplorer.exedescription pid process target process PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3156 wrote to memory of 3544 3156 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe PID 3544 wrote to memory of 1064 3544 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe explorer.exe PID 3544 wrote to memory of 1064 3544 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe explorer.exe PID 3544 wrote to memory of 1064 3544 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe explorer.exe PID 3544 wrote to memory of 1064 3544 62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe explorer.exe PID 1064 wrote to memory of 1900 1064 explorer.exe vssadmin.exe PID 1064 wrote to memory of 1900 1064 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"¶C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uwiryzenebaxoxoc\01000000Filesize
446KB
MD5b47f943f502acd0bb7d5e6981504f230
SHA1e536bfdd82bed444a8e094cb406b1f8a49a0fbe3
SHA256eb727709ce0f220d90d272e69746b71ce7a4f6f0708c3bd0c4795df683509db4
SHA5126984f3a1122c70e811f4c269cde43a48928451a67f55341cd04844e2ae55d274f1b560fe27e54600735396aa5a8b46f26150b061f093cacf3d508647f0d9b698
-
memory/1064-137-0x0000000000000000-mapping.dmp
-
memory/1064-138-0x0000000000E80000-0x0000000000EBD000-memory.dmpFilesize
244KB
-
memory/1064-143-0x0000000000E80000-0x0000000000EBD000-memory.dmpFilesize
244KB
-
memory/1064-144-0x0000000000E80000-0x0000000000EBD000-memory.dmpFilesize
244KB
-
memory/1900-142-0x0000000000000000-mapping.dmp
-
memory/3544-132-0x0000000000000000-mapping.dmp
-
memory/3544-133-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3544-134-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3544-135-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3544-136-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3544-141-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB