Analysis
-
max time kernel
208s -
max time network
285s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe
Resource
win10v2004-20220901-en
General
-
Target
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe
-
Size
279KB
-
MD5
aba1a04847ebb0a329971557f0965c82
-
SHA1
7bd1b593d1cb8fca7e0e1f393c6cb93c45f6498f
-
SHA256
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed
-
SHA512
19bb2975d04ca8104fc9de2d8518add02a8189cbb41aaa297364005b833b0c907fc5373479b2a24f59381eef353b72d6946ec6d0af4aaf08c84405b293447d94
-
SSDEEP
6144:Z9A9dGj5Er4tEQW1sw8kNm1tMFGYususLmpmC08:yAEr4tEQW1/QKFGyhVb8
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0d7b5e.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e0d7b5 = "C:\\e0d7b5e\\e0d7b5e.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*0d7b5 = "C:\\e0d7b5e\\e0d7b5e.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e0d7b5e = "C:\\Users\\Admin\\AppData\\Roaming\\e0d7b5e.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*0d7b5e = "C:\\Users\\Admin\\AppData\\Roaming\\e0d7b5e.exe" explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1784 vssadmin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exeexplorer.exepid process 1836 dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe 524 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exeexplorer.exedescription pid process target process PID 1836 wrote to memory of 524 1836 dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe explorer.exe PID 1836 wrote to memory of 524 1836 dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe explorer.exe PID 1836 wrote to memory of 524 1836 dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe explorer.exe PID 1836 wrote to memory of 524 1836 dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe explorer.exe PID 524 wrote to memory of 1396 524 explorer.exe svchost.exe PID 524 wrote to memory of 1396 524 explorer.exe svchost.exe PID 524 wrote to memory of 1396 524 explorer.exe svchost.exe PID 524 wrote to memory of 1396 524 explorer.exe svchost.exe PID 524 wrote to memory of 1784 524 explorer.exe vssadmin.exe PID 524 wrote to memory of 1784 524 explorer.exe vssadmin.exe PID 524 wrote to memory of 1784 524 explorer.exe vssadmin.exe PID 524 wrote to memory of 1784 524 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe"C:\Users\Admin\AppData\Local\Temp\dbd8e1780642e931ebc5776d248dc45282f909d2c855b0c51acbbab0dc85b2ed.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵PID:1396
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-58-0x0000000000000000-mapping.dmp
-
memory/524-59-0x0000000075151000-0x0000000075153000-memory.dmpFilesize
8KB
-
memory/524-60-0x0000000074551000-0x0000000074553000-memory.dmpFilesize
8KB
-
memory/524-61-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1396-62-0x0000000000000000-mapping.dmp
-
memory/1396-65-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1784-63-0x0000000000000000-mapping.dmp
-
memory/1836-55-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/1836-54-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/1836-57-0x00000000009E0000-0x00000000009F9000-memory.dmpFilesize
100KB