89449048c26e55260368ad62591d10b3a39025976809f52e139c6f09ed51f6c3

Analysis

max time kernel
186s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Details.Pdf_____________________________________________________________.exe
Size

311KB
MD5

d68818fc1d7d5789d412a085844d602a
SHA1

dca676d8ccbaeefc8bd01f65a43252ab144359ea
SHA256

32969f4676fc16aed3dff471d9eba8306e4c49cfd7510848ddbde2d6e075ab01
SHA512

e51271013b02c1fced7f3f6a6b55026fdc32aeb0e42912947eb7de071392b743775b95dadc0f4f987538417791d01d90e3ba18ddce0b18f2a213a54117041c9b
SSDEEP

6144:1BeryOjPmxonkwbeP/b3ER912H+J/+sHvTjhgoxZqoyxbr+EvK:1BeryOjPmxon5bwz80QXHv3hPxZqoYan

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipexojyw = "C:\\Windows\\ybesoqxc.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Details.Pdf_____________________________________________________________.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Details.Pdf_____________________________________________________________.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Details.Pdf_____________________________________________________________.exe

description	pid	process	target process
PID 1580 set thread context of 3224	1580	Details.Pdf_____________________________________________________________.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ybesoqxc.exe explorer.exe
File created C:\Windows\ybesoqxc.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4940 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 64 vssvc.exe
Token: SeRestorePrivilege 64 vssvc.exe
Token: SeAuditPrivilege 64 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ybesoqxc.exe	explorer.exe
File created	C:\Windows\ybesoqxc.exe	explorer.exe

pid	process
4940	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	64	vssvc.exe
Token: SeRestorePrivilege	64	vssvc.exe
Token: SeAuditPrivilege	64	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Details.Pdf_____________________________________________________________.exeexplorer.exe

description	pid	process	target process
PID 1580 wrote to memory of 3224	1580	Details.Pdf_____________________________________________________________.exe	explorer.exe
PID 1580 wrote to memory of 3224	1580	Details.Pdf_____________________________________________________________.exe	explorer.exe
PID 1580 wrote to memory of 3224	1580	Details.Pdf_____________________________________________________________.exe	explorer.exe
PID 1580 wrote to memory of 3224	1580	Details.Pdf_____________________________________________________________.exe	explorer.exe
PID 3224 wrote to memory of 4940	3224	explorer.exe	vssadmin.exe
PID 3224 wrote to memory of 4940	3224	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Details.Pdf_____________________________________________________________.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:4940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uluxohydelujynyf\01000000
Filesize
311KB

MD5
5e40e085fc2d0f9b8d59291e82933576

SHA1
654aef175a2e55953accc0050ff3e627f1595acc

SHA256
3958dbd8162ac83068f4b76aa99c10936d0793855e67f933e083478501718f96

SHA512
cf3a0e7b0f4f81b44af887f5499d3a1a2614648618263a85052f4661775830e0c2047e00552345ca8f198ffa0dcf3d9e07c337269d1d1095bc8dc332ad8a0bda

Download Submit
memory/1580-132-0x0000000002880000-0x000000000296D000-memory.dmp

Filesize
948KB

Download
memory/1580-133-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3224-135-0x0000000000000000-mapping.dmp

Download
memory/3224-136-0x0000000000E00000-0x0000000000E3B000-memory.dmp

Filesize
236KB

Download
memory/3224-139-0x0000000000E00000-0x0000000000E3B000-memory.dmp

Filesize
236KB

Download
memory/3224-141-0x0000000000E00000-0x0000000000E3B000-memory.dmp

Filesize
236KB

Download
memory/4940-140-0x0000000000000000-mapping.dmp

Download