Analysis
-
max time kernel
203s -
max time network
250s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
Details.Pdf_____________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Details.Pdf_____________________________________________________________.exe
Resource
win10v2004-20221111-en
General
-
Target
Details.Pdf_____________________________________________________________.exe
-
Size
311KB
-
MD5
d68818fc1d7d5789d412a085844d602a
-
SHA1
dca676d8ccbaeefc8bd01f65a43252ab144359ea
-
SHA256
32969f4676fc16aed3dff471d9eba8306e4c49cfd7510848ddbde2d6e075ab01
-
SHA512
e51271013b02c1fced7f3f6a6b55026fdc32aeb0e42912947eb7de071392b743775b95dadc0f4f987538417791d01d90e3ba18ddce0b18f2a213a54117041c9b
-
SSDEEP
6144:1BeryOjPmxonkwbeP/b3ER912H+J/+sHvTjhgoxZqoyxbr+EvK:1BeryOjPmxon5bwz80QXHv3hPxZqoYan
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edibuwic = "C:\\Windows\\umymopel.exe" explorer.exe -
Processes:
Details.Pdf_____________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Details.Pdf_____________________________________________________________.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Details.Pdf_____________________________________________________________.exedescription pid process target process PID 1256 set thread context of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\umymopel.exe explorer.exe File created C:\Windows\umymopel.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1348 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Details.Pdf_____________________________________________________________.exeexplorer.exedescription pid process target process PID 1256 wrote to memory of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1256 wrote to memory of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1256 wrote to memory of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1256 wrote to memory of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1256 wrote to memory of 1764 1256 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1764 wrote to memory of 1348 1764 explorer.exe vssadmin.exe PID 1764 wrote to memory of 1348 1764 explorer.exe vssadmin.exe PID 1764 wrote to memory of 1348 1764 explorer.exe vssadmin.exe PID 1764 wrote to memory of 1348 1764 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uluxohydelujynyf\01000000Filesize
311KB
MD55e40e085fc2d0f9b8d59291e82933576
SHA1654aef175a2e55953accc0050ff3e627f1595acc
SHA2563958dbd8162ac83068f4b76aa99c10936d0793855e67f933e083478501718f96
SHA512cf3a0e7b0f4f81b44af887f5499d3a1a2614648618263a85052f4661775830e0c2047e00552345ca8f198ffa0dcf3d9e07c337269d1d1095bc8dc332ad8a0bda
-
memory/1256-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB
-
memory/1256-55-0x0000000002440000-0x000000000252D000-memory.dmpFilesize
948KB
-
memory/1256-56-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1348-67-0x0000000000000000-mapping.dmp
-
memory/1764-58-0x00000000000D0000-0x000000000010B000-memory.dmpFilesize
236KB
-
memory/1764-60-0x00000000000D0000-0x000000000010B000-memory.dmpFilesize
236KB
-
memory/1764-62-0x00000000000E9C80-mapping.dmp
-
memory/1764-64-0x00000000746B1000-0x00000000746B3000-memory.dmpFilesize
8KB
-
memory/1764-65-0x00000000000D0000-0x000000000010B000-memory.dmpFilesize
236KB
-
memory/1764-68-0x0000000072981000-0x0000000072983000-memory.dmpFilesize
8KB
-
memory/1764-69-0x00000000000D0000-0x000000000010B000-memory.dmpFilesize
236KB