Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe
Resource
win10v2004-20220812-en
General
-
Target
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe
-
Size
296KB
-
MD5
931a3a162c8a16c141d12fa0b1c36509
-
SHA1
11b55d6a5a40dcee509da0e4c8cc96a353e6e35f
-
SHA256
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499
-
SHA512
72223e21d8d8aa128c17403d23822d9d5dea1e581d79e6929110fa4103453960c721990c6ce1f05cc6fe5e90ccbbc967cc1a4a890b6d1f94ec77ebcffac3e5a0
-
SSDEEP
6144:cfSb2QKX6KRvqDsQBYVndvPabiSHaUPpavnElI:cfw7KZgKndvYPpav3
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\imifasak = "C:\\Windows\\lvlpomov.exe" explorer.exe -
Processes:
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exedescription pid process target process PID 1524 set thread context of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\lvlpomov.exe explorer.exe File created C:\Windows\lvlpomov.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1640 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1132 vssvc.exe Token: SeRestorePrivilege 1132 vssvc.exe Token: SeAuditPrivilege 1132 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exeexplorer.exedescription pid process target process PID 1524 wrote to memory of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe PID 1524 wrote to memory of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe PID 1524 wrote to memory of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe PID 1524 wrote to memory of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe PID 1524 wrote to memory of 1344 1524 a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe explorer.exe PID 1344 wrote to memory of 1640 1344 explorer.exe vssadmin.exe PID 1344 wrote to memory of 1640 1344 explorer.exe vssadmin.exe PID 1344 wrote to memory of 1640 1344 explorer.exe vssadmin.exe PID 1344 wrote to memory of 1640 1344 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe"C:\Users\Admin\AppData\Local\Temp\a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ewosolyzuhobytal\01000000Filesize
296KB
MD5ccb1e47ee7301200d17a238be87b03d7
SHA1e10f9cc7ea69dc0a30e1172945c3a9666bb6bdad
SHA2560d1c51109288071963ffda92062d4da36ba6ca02afa14edb631cd61562688766
SHA5122096c821cc7de80eff8bec9092a54ab607129ec45dd6e61f490083fc6b0f1a792fc42515a21ca17ba757cce49756f11c6e22f7581c651a78b56467fd4b63823a
-
memory/1344-58-0x0000000000080000-0x00000000000BB000-memory.dmpFilesize
236KB
-
memory/1344-60-0x0000000000080000-0x00000000000BB000-memory.dmpFilesize
236KB
-
memory/1344-62-0x0000000000099C80-mapping.dmp
-
memory/1344-64-0x0000000074A51000-0x0000000074A53000-memory.dmpFilesize
8KB
-
memory/1344-67-0x0000000000080000-0x00000000000BB000-memory.dmpFilesize
236KB
-
memory/1344-69-0x0000000072B11000-0x0000000072B13000-memory.dmpFilesize
8KB
-
memory/1524-54-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1524-55-0x0000000002610000-0x000000000272E000-memory.dmpFilesize
1.1MB
-
memory/1524-56-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1524-66-0x0000000002610000-0x000000000272E000-memory.dmpFilesize
1.1MB
-
memory/1640-68-0x0000000000000000-mapping.dmp