Analysis
-
max time kernel
153s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
Responder.Pdf _____________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Responder.Pdf _____________________________________________________________.exe
Resource
win10v2004-20220812-en
General
-
Target
Responder.Pdf _____________________________________________________________.exe
-
Size
296KB
-
MD5
931a3a162c8a16c141d12fa0b1c36509
-
SHA1
11b55d6a5a40dcee509da0e4c8cc96a353e6e35f
-
SHA256
a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499
-
SHA512
72223e21d8d8aa128c17403d23822d9d5dea1e581d79e6929110fa4103453960c721990c6ce1f05cc6fe5e90ccbbc967cc1a4a890b6d1f94ec77ebcffac3e5a0
-
SSDEEP
6144:cfSb2QKX6KRvqDsQBYVndvPabiSHaUPpavnElI:cfw7KZgKndvYPpav3
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Responder.Pdf _____________________________________________________________.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Responder.Pdf _____________________________________________________________.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewodocul = "C:\\Windows\\izyqitij.exe" Responder.Pdf _____________________________________________________________.exe -
Processes:
Responder.Pdf _____________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Responder.Pdf _____________________________________________________________.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Responder.Pdf _____________________________________________________________.exedescription pid process target process PID 1620 set thread context of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
Responder.Pdf _____________________________________________________________.exedescription ioc process File opened for modification C:\Windows\izyqitij.exe Responder.Pdf _____________________________________________________________.exe File created C:\Windows\izyqitij.exe Responder.Pdf _____________________________________________________________.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1324 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Responder.Pdf _____________________________________________________________.exedescription pid process target process PID 1620 wrote to memory of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe PID 1620 wrote to memory of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe PID 1620 wrote to memory of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe PID 1620 wrote to memory of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe PID 1620 wrote to memory of 568 1620 Responder.Pdf _____________________________________________________________.exe explorer.exe PID 1620 wrote to memory of 1324 1620 Responder.Pdf _____________________________________________________________.exe vssadmin.exe PID 1620 wrote to memory of 1324 1620 Responder.Pdf _____________________________________________________________.exe vssadmin.exe PID 1620 wrote to memory of 1324 1620 Responder.Pdf _____________________________________________________________.exe vssadmin.exe PID 1620 wrote to memory of 1324 1620 Responder.Pdf _____________________________________________________________.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Responder.Pdf _____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Responder.Pdf _____________________________________________________________.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-59-0x00000000000C0000-0x00000000000FB000-memory.dmpFilesize
236KB
-
memory/568-61-0x00000000000C0000-0x00000000000FB000-memory.dmpFilesize
236KB
-
memory/568-63-0x00000000000D9C80-mapping.dmp
-
memory/1324-66-0x0000000000000000-mapping.dmp
-
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1620-55-0x00000000025C0000-0x00000000026DE000-memory.dmpFilesize
1.1MB
-
memory/1620-56-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1620-58-0x00000000025C0000-0x00000000026DE000-memory.dmpFilesize
1.1MB
-
memory/1620-65-0x00000000000D0000-0x000000000010B000-memory.dmpFilesize
236KB
-
memory/1620-67-0x0000000072E51000-0x0000000072E53000-memory.dmpFilesize
8KB