Analysis
-
max time kernel
242s -
max time network
314s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
Transazione.Pdf______________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Transazione.Pdf______________________________________________________________.exe
Resource
win10v2004-20220812-en
General
-
Target
Transazione.Pdf______________________________________________________________.exe
-
Size
446KB
-
MD5
11ff8a8e9a643deff1dcf58e7e2fdf20
-
SHA1
40b1d84b341bae23dc5cfa8dd1c44cf96294cd54
-
SHA256
62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490
-
SHA512
29499106387047744693da395da8aeb695933579f7b1f5dd23613059591215ca60be4021286c04cacf5c02e5726ab28fe2ed15b0a9b6c12571b88532eec156f1
-
SSDEEP
12288:/uPIb4kzPgkrw1k2Fr8+o/tH18wtuomhUqlDykX:SItUkrQ5Fr6/n82yblmg
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts explorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ostxegus = "C:\\Windows\\inefoxoq.exe" explorer.exe -
Processes:
Transazione.Pdf______________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Transazione.Pdf______________________________________________________________.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Transazione.Pdf______________________________________________________________.exeTransazione.Pdf______________________________________________________________.exedescription pid process target process PID 1720 set thread context of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1340 set thread context of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\inefoxoq.exe explorer.exe File created C:\Windows\inefoxoq.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 452 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1912 vssvc.exe Token: SeRestorePrivilege 1912 vssvc.exe Token: SeAuditPrivilege 1912 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Transazione.Pdf______________________________________________________________.exeTransazione.Pdf______________________________________________________________.exeexplorer.exedescription pid process target process PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1720 wrote to memory of 1340 1720 Transazione.Pdf______________________________________________________________.exe Transazione.Pdf______________________________________________________________.exe PID 1340 wrote to memory of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe PID 1340 wrote to memory of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe PID 1340 wrote to memory of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe PID 1340 wrote to memory of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe PID 1340 wrote to memory of 1804 1340 Transazione.Pdf______________________________________________________________.exe explorer.exe PID 1804 wrote to memory of 452 1804 explorer.exe vssadmin.exe PID 1804 wrote to memory of 452 1804 explorer.exe vssadmin.exe PID 1804 wrote to memory of 452 1804 explorer.exe vssadmin.exe PID 1804 wrote to memory of 452 1804 explorer.exe vssadmin.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe">C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1804 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:452
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uwiryzenebaxoxoc\01000000Filesize
446KB
MD5b47f943f502acd0bb7d5e6981504f230
SHA1e536bfdd82bed444a8e094cb406b1f8a49a0fbe3
SHA256eb727709ce0f220d90d272e69746b71ce7a4f6f0708c3bd0c4795df683509db4
SHA5126984f3a1122c70e811f4c269cde43a48928451a67f55341cd04844e2ae55d274f1b560fe27e54600735396aa5a8b46f26150b061f093cacf3d508647f0d9b698
-
memory/452-79-0x0000000000000000-mapping.dmp
-
memory/1340-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-55-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-65-0x000000000040B4D3-mapping.dmp
-
memory/1340-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-78-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1340-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1720-54-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/1804-74-0x000000000009BB10-mapping.dmp
-
memory/1804-76-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/1804-72-0x0000000000080000-0x00000000000BD000-memory.dmpFilesize
244KB
-
memory/1804-70-0x0000000000080000-0x00000000000BD000-memory.dmpFilesize
244KB
-
memory/1804-80-0x0000000072B21000-0x0000000072B23000-memory.dmpFilesize
8KB
-
memory/1804-81-0x0000000000080000-0x00000000000BD000-memory.dmpFilesize
244KB
-
memory/1804-82-0x0000000000080000-0x00000000000BD000-memory.dmpFilesize
244KB