Analysis
-
max time kernel
187s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
Saldo.Pdf______________________________________________________________.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Saldo.Pdf______________________________________________________________.exe
Resource
win10v2004-20220812-en
General
-
Target
Saldo.Pdf______________________________________________________________.exe
-
Size
446KB
-
MD5
11ff8a8e9a643deff1dcf58e7e2fdf20
-
SHA1
40b1d84b341bae23dc5cfa8dd1c44cf96294cd54
-
SHA256
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490
-
SHA512
29499106387047744693da395da8aeb695933579f7b1f5dd23613059591215ca60be4021286c04cacf5c02e5726ab28fe2ed15b0a9b6c12571b88532eec156f1
-
SSDEEP
12288:/uPIb4kzPgkrw1k2Fr8+o/tH18wtuomhUqlDykX:SItUkrQ5Fr6/n82yblmg
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ylycyjuc = "C:\\Windows\\ogdsyguf.exe" explorer.exe -
Processes:
Saldo.Pdf______________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Saldo.Pdf______________________________________________________________.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Saldo.Pdf______________________________________________________________.exeSaldo.Pdf______________________________________________________________.exedescription pid process target process PID 3776 set thread context of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 4296 set thread context of 5052 4296 Saldo.Pdf______________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ogdsyguf.exe explorer.exe File created C:\Windows\ogdsyguf.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5012 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1812 vssvc.exe Token: SeRestorePrivilege 1812 vssvc.exe Token: SeAuditPrivilege 1812 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Saldo.Pdf______________________________________________________________.exeSaldo.Pdf______________________________________________________________.exeexplorer.exedescription pid process target process PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 3776 wrote to memory of 4296 3776 Saldo.Pdf______________________________________________________________.exe Saldo.Pdf______________________________________________________________.exe PID 4296 wrote to memory of 5052 4296 Saldo.Pdf______________________________________________________________.exe explorer.exe PID 4296 wrote to memory of 5052 4296 Saldo.Pdf______________________________________________________________.exe explorer.exe PID 4296 wrote to memory of 5052 4296 Saldo.Pdf______________________________________________________________.exe explorer.exe PID 4296 wrote to memory of 5052 4296 Saldo.Pdf______________________________________________________________.exe explorer.exe PID 5052 wrote to memory of 5012 5052 explorer.exe vssadmin.exe PID 5052 wrote to memory of 5012 5052 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Saldo.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Saldo.Pdf______________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Saldo.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Saldo.Pdf______________________________________________________________.exe"ÒC:\Users\Admin\AppData\Local\Temp\Saldo.Pdf______________________________________________________________.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uwiryzenebaxoxoc\01000000Filesize
446KB
MD5b47f943f502acd0bb7d5e6981504f230
SHA1e536bfdd82bed444a8e094cb406b1f8a49a0fbe3
SHA256eb727709ce0f220d90d272e69746b71ce7a4f6f0708c3bd0c4795df683509db4
SHA5126984f3a1122c70e811f4c269cde43a48928451a67f55341cd04844e2ae55d274f1b560fe27e54600735396aa5a8b46f26150b061f093cacf3d508647f0d9b698
-
memory/4296-132-0x0000000000000000-mapping.dmp
-
memory/4296-133-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4296-134-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4296-135-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4296-136-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4296-141-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5012-142-0x0000000000000000-mapping.dmp
-
memory/5052-137-0x0000000000000000-mapping.dmp
-
memory/5052-138-0x00000000009A0000-0x00000000009DD000-memory.dmpFilesize
244KB
-
memory/5052-143-0x00000000009A0000-0x00000000009DD000-memory.dmpFilesize
244KB
-
memory/5052-144-0x00000000009A0000-0x00000000009DD000-memory.dmpFilesize
244KB