Overview

overview

9

Static

static

Transazion...__.exe

windows7-x64

9

Transazion...__.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    242s
  • max time network
    314s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transazione.Pdf______________________________________________________________.exe

  • Size

    446KB

  • MD5

    11ff8a8e9a643deff1dcf58e7e2fdf20

  • SHA1

    40b1d84b341bae23dc5cfa8dd1c44cf96294cd54

  • SHA256

    62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490

  • SHA512

    29499106387047744693da395da8aeb695933579f7b1f5dd23613059591215ca60be4021286c04cacf5c02e5726ab28fe2ed15b0a9b6c12571b88532eec156f1

  • SSDEEP

    12288:/uPIb4kzPgkrw1k2Fr8+o/tH18wtuomhUqlDykX:SItUkrQ5Fr6/n82yblmg

Score
9/10
collectionevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe">C:\Users\Admin\AppData\Local\Temp\Transazione.Pdf______________________________________________________________.exe
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:1804
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:452
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\uwiryzenebaxoxoc\01000000
    Filesize

    446KB

    MD5

    b47f943f502acd0bb7d5e6981504f230

    SHA1

    e536bfdd82bed444a8e094cb406b1f8a49a0fbe3

    SHA256

    eb727709ce0f220d90d272e69746b71ce7a4f6f0708c3bd0c4795df683509db4

    SHA512

    6984f3a1122c70e811f4c269cde43a48928451a67f55341cd04844e2ae55d274f1b560fe27e54600735396aa5a8b46f26150b061f093cacf3d508647f0d9b698

    Download Submit
  • memory/452-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1340-62-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-58-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-61-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-55-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-64-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-65-0x000000000040B4D3-mapping.dmp
    Download
  • memory/1340-66-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-68-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-69-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-78-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1340-60-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1720-54-0x00000000763D1000-0x00000000763D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1804-74-0x000000000009BB10-mapping.dmp
    Download
  • memory/1804-76-0x0000000074F61000-0x0000000074F63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1804-72-0x0000000000080000-0x00000000000BD000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1804-70-0x0000000000080000-0x00000000000BD000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1804-80-0x0000000072B21000-0x0000000072B23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1804-81-0x0000000000080000-0x00000000000BD000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1804-82-0x0000000000080000-0x00000000000BD000-memory.dmp
    Filesize

    244KB

    Download