Analysis
-
max time kernel
186s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
Details.Pdf_____________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Details.Pdf_____________________________________________________________.exe
Resource
win10v2004-20221111-en
General
-
Target
Details.Pdf_____________________________________________________________.exe
-
Size
311KB
-
MD5
d68818fc1d7d5789d412a085844d602a
-
SHA1
dca676d8ccbaeefc8bd01f65a43252ab144359ea
-
SHA256
32969f4676fc16aed3dff471d9eba8306e4c49cfd7510848ddbde2d6e075ab01
-
SHA512
e51271013b02c1fced7f3f6a6b55026fdc32aeb0e42912947eb7de071392b743775b95dadc0f4f987538417791d01d90e3ba18ddce0b18f2a213a54117041c9b
-
SSDEEP
6144:1BeryOjPmxonkwbeP/b3ER912H+J/+sHvTjhgoxZqoyxbr+EvK:1BeryOjPmxon5bwz80QXHv3hPxZqoYan
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipexojyw = "C:\\Windows\\ybesoqxc.exe" explorer.exe -
Processes:
Details.Pdf_____________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Details.Pdf_____________________________________________________________.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Details.Pdf_____________________________________________________________.exedescription pid process target process PID 1580 set thread context of 3224 1580 Details.Pdf_____________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ybesoqxc.exe explorer.exe File created C:\Windows\ybesoqxc.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4940 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 64 vssvc.exe Token: SeRestorePrivilege 64 vssvc.exe Token: SeAuditPrivilege 64 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Details.Pdf_____________________________________________________________.exeexplorer.exedescription pid process target process PID 1580 wrote to memory of 3224 1580 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1580 wrote to memory of 3224 1580 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1580 wrote to memory of 3224 1580 Details.Pdf_____________________________________________________________.exe explorer.exe PID 1580 wrote to memory of 3224 1580 Details.Pdf_____________________________________________________________.exe explorer.exe PID 3224 wrote to memory of 4940 3224 explorer.exe vssadmin.exe PID 3224 wrote to memory of 4940 3224 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uluxohydelujynyf\01000000Filesize
311KB
MD55e40e085fc2d0f9b8d59291e82933576
SHA1654aef175a2e55953accc0050ff3e627f1595acc
SHA2563958dbd8162ac83068f4b76aa99c10936d0793855e67f933e083478501718f96
SHA512cf3a0e7b0f4f81b44af887f5499d3a1a2614648618263a85052f4661775830e0c2047e00552345ca8f198ffa0dcf3d9e07c337269d1d1095bc8dc332ad8a0bda
-
memory/1580-132-0x0000000002880000-0x000000000296D000-memory.dmpFilesize
948KB
-
memory/1580-133-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3224-135-0x0000000000000000-mapping.dmp
-
memory/3224-136-0x0000000000E00000-0x0000000000E3B000-memory.dmpFilesize
236KB
-
memory/3224-139-0x0000000000E00000-0x0000000000E3B000-memory.dmpFilesize
236KB
-
memory/3224-141-0x0000000000E00000-0x0000000000E3B000-memory.dmpFilesize
236KB
-
memory/4940-140-0x0000000000000000-mapping.dmp