Overview

overview

9

Static

static

a033bc4bd6...99.exe

windows7-x64

9

a033bc4bd6...99.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe

  • Size

    296KB

  • MD5

    931a3a162c8a16c141d12fa0b1c36509

  • SHA1

    11b55d6a5a40dcee509da0e4c8cc96a353e6e35f

  • SHA256

    a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499

  • SHA512

    72223e21d8d8aa128c17403d23822d9d5dea1e581d79e6929110fa4103453960c721990c6ce1f05cc6fe5e90ccbbc967cc1a4a890b6d1f94ec77ebcffac3e5a0

  • SSDEEP

    6144:cfSb2QKX6KRvqDsQBYVndvPabiSHaUPpavnElI:cfw7KZgKndvYPpav3

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe
    "C:\Users\Admin\AppData\Local\Temp\a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1640
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ewosolyzuhobytal\01000000
    Filesize

    296KB

    MD5

    ccb1e47ee7301200d17a238be87b03d7

    SHA1

    e10f9cc7ea69dc0a30e1172945c3a9666bb6bdad

    SHA256

    0d1c51109288071963ffda92062d4da36ba6ca02afa14edb631cd61562688766

    SHA512

    2096c821cc7de80eff8bec9092a54ab607129ec45dd6e61f490083fc6b0f1a792fc42515a21ca17ba757cce49756f11c6e22f7581c651a78b56467fd4b63823a

    Download Submit
  • memory/1344-58-0x0000000000080000-0x00000000000BB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/1344-60-0x0000000000080000-0x00000000000BB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/1344-62-0x0000000000099C80-mapping.dmp
    Download
  • memory/1344-64-0x0000000074A51000-0x0000000074A53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1344-67-0x0000000000080000-0x00000000000BB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/1344-69-0x0000000072B11000-0x0000000072B13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1524-54-0x0000000075E11000-0x0000000075E13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1524-55-0x0000000002610000-0x000000000272E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1524-56-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1524-66-0x0000000002610000-0x000000000272E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1640-68-0x0000000000000000-mapping.dmp
    Download