Overview

overview

9

Static

static

4867634284...9b.exe

windows7-x64

9

4867634284...9b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    181s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

  • Size

    244KB

  • MD5

    796fdae3b1476ed20cdac74ca9d40973

  • SHA1

    1067f53a9e67a61f41d649874e7c40a1e0a2cb2e

  • SHA256

    486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b

  • SHA512

    1948b409fa2d680708ca8b839576597d24bd7a90537c7dd07f22c08ce9edd775153d00ace206565bd6012803347c9be253db04206fbb36e85e9b0997a2c39157

  • SSDEEP

    6144:AhBgQhoowwzLDmJYIdzNjlIccwO33XdGaSb:Ah2QhpNKJYIdzNjcndGaA

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 24 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
    "C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
      C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\syswow64\explorer.exe
        "C:\Windows\syswow64\explorer.exe"
        3⤵
        • Drops startup file
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\syswow64\svchost.exe
          -k netsvcs
          4⤵
          • Drops startup file
          • Modifies data under HKEY_USERS
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          PID:628
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d25fddd.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\d25fddd.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • C:\d25fddd\d25fddd.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • memory/364-78-0x0000000000000000-mapping.dmp
    Download
  • memory/628-85-0x0000000002AF0000-0x0000000002C27000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/628-84-0x0000000000480000-0x000000000050A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/628-86-0x0000000002C30000-0x0000000002D98000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/628-80-0x0000000000080000-0x00000000000AC000-memory.dmp
    Filesize

    176KB

    Download
  • memory/628-87-0x0000000000080000-0x00000000000AC000-memory.dmp
    Filesize

    176KB

    Download
  • memory/628-77-0x0000000000000000-mapping.dmp
    Download
  • memory/672-75-0x0000000075081000-0x0000000075083000-memory.dmp
    Filesize

    8KB

    Download
  • memory/672-76-0x0000000000080000-0x00000000000AC000-memory.dmp
    Filesize

    176KB

    Download
  • memory/672-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-64-0x0000000000250000-0x0000000000254000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1376-54-0x00000000761F1000-0x00000000761F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1380-71-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1380-72-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1380-70-0x0000000002250000-0x000000000225C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1568-69-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-65-0x0000000000240000-0x000000000024C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1568-63-0x0000000000418E20-mapping.dmp
    Download
  • memory/1568-62-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-61-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-59-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-58-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-56-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1568-55-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download