Analysis
-
max time kernel
253s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 02:10
Static task
static1
Behavioral task
behavioral1
Sample
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
Resource
win10v2004-20220812-en
General
-
Target
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
-
Size
328KB
-
MD5
65d63d237251c492c7c2a8617c40b53e
-
SHA1
80d06e4ed07626bcf0312b4022014cdbda934c9a
-
SHA256
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
-
SHA512
f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
SSDEEP
6144:qLAJ3I3pnzOwewUqjxGTw8NMM8iH+C+MJKzb3n3jMR/mriB9ph:qLg3I3pnzORwRjxG3i8H+C+2oLnLe
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\Recovery+kumde.txt
http://ytrest84y5i456hghadefdsd.pontogrot.com/831A6C6B4A1A39A2
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/831A6C6B4A1A39A2
http://5rport45vcdef345adfkksawe.bematvocal.at/831A6C6B4A1A39A2
http://xlowfznrg4wf7dli.onion/831A6C6B4A1A39A2
http://xlowfznrg4wf7dli.ONION/831A6C6B4A1A39A2
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
ityvbhksrfnb.exepid process 1908 ityvbhksrfnb.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 924 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ityvbhksrfnb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run ityvbhksrfnb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmxlpemdjbnv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ityvbhksrfnb.exe\"" ityvbhksrfnb.exe -
Drops file in Program Files directory 1 IoCs
Processes:
ityvbhksrfnb.exedescription ioc process File opened for modification C:\Program Files\7-Zip\History.txt ityvbhksrfnb.exe -
Drops file in Windows directory 2 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exedescription ioc process File created C:\Windows\ityvbhksrfnb.exe ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe File opened for modification C:\Windows\ityvbhksrfnb.exe ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ityvbhksrfnb.exepid process 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe 1908 ityvbhksrfnb.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exeityvbhksrfnb.exeWMIC.exedescription pid process Token: SeDebugPrivilege 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe Token: SeDebugPrivilege 1908 ityvbhksrfnb.exe Token: SeIncreaseQuotaPrivilege 436 WMIC.exe Token: SeSecurityPrivilege 436 WMIC.exe Token: SeTakeOwnershipPrivilege 436 WMIC.exe Token: SeLoadDriverPrivilege 436 WMIC.exe Token: SeSystemProfilePrivilege 436 WMIC.exe Token: SeSystemtimePrivilege 436 WMIC.exe Token: SeProfSingleProcessPrivilege 436 WMIC.exe Token: SeIncBasePriorityPrivilege 436 WMIC.exe Token: SeCreatePagefilePrivilege 436 WMIC.exe Token: SeBackupPrivilege 436 WMIC.exe Token: SeRestorePrivilege 436 WMIC.exe Token: SeShutdownPrivilege 436 WMIC.exe Token: SeDebugPrivilege 436 WMIC.exe Token: SeSystemEnvironmentPrivilege 436 WMIC.exe Token: SeRemoteShutdownPrivilege 436 WMIC.exe Token: SeUndockPrivilege 436 WMIC.exe Token: SeManageVolumePrivilege 436 WMIC.exe Token: 33 436 WMIC.exe Token: 34 436 WMIC.exe Token: 35 436 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exeityvbhksrfnb.exedescription pid process target process PID 472 wrote to memory of 1908 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe ityvbhksrfnb.exe PID 472 wrote to memory of 1908 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe ityvbhksrfnb.exe PID 472 wrote to memory of 1908 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe ityvbhksrfnb.exe PID 472 wrote to memory of 1908 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe ityvbhksrfnb.exe PID 472 wrote to memory of 924 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 472 wrote to memory of 924 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 472 wrote to memory of 924 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 472 wrote to memory of 924 472 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 1908 wrote to memory of 436 1908 ityvbhksrfnb.exe WMIC.exe PID 1908 wrote to memory of 436 1908 ityvbhksrfnb.exe WMIC.exe PID 1908 wrote to memory of 436 1908 ityvbhksrfnb.exe WMIC.exe PID 1908 wrote to memory of 436 1908 ityvbhksrfnb.exe WMIC.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
ityvbhksrfnb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ityvbhksrfnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ityvbhksrfnb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe"C:\Users\Admin\AppData\Local\Temp\ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\ityvbhksrfnb.exeC:\Windows\ityvbhksrfnb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD754D~1.EXE2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\ityvbhksrfnb.exeFilesize
328KB
MD565d63d237251c492c7c2a8617c40b53e
SHA180d06e4ed07626bcf0312b4022014cdbda934c9a
SHA256ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
SHA512f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
C:\Windows\ityvbhksrfnb.exeFilesize
328KB
MD565d63d237251c492c7c2a8617c40b53e
SHA180d06e4ed07626bcf0312b4022014cdbda934c9a
SHA256ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
SHA512f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
memory/436-71-0x0000000000000000-mapping.dmp
-
memory/472-54-0x0000000000280000-0x0000000000305000-memory.dmpFilesize
532KB
-
memory/472-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/472-56-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/472-60-0x0000000000280000-0x0000000000305000-memory.dmpFilesize
532KB
-
memory/924-70-0x0000000000000000-mapping.dmp
-
memory/1908-61-0x0000000000000000-mapping.dmp
-
memory/1908-68-0x0000000001CD0000-0x0000000001D55000-memory.dmpFilesize
532KB