Analysis
-
max time kernel
204s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:15
Static task
static1
Behavioral task
behavioral1
Sample
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe
Resource
win10v2004-20221111-en
General
-
Target
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe
-
Size
454KB
-
MD5
43ce7a42d275d1351de591b3b5d2661d
-
SHA1
1ca4ff2afd8407eef291105e53d9136b6178220c
-
SHA256
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60
-
SHA512
6df6bb7d2ead24e88ab776466fb4dc7fd4cd9043f0f43502089b93819400418efcbc02af92773bca601d5e3d15a24a30f82a8d563d4b11f7ba234df244b86f86
-
SSDEEP
6144:PFaURAN6/9ehvQcjKD3aIhc1QJvmao65i0qdFWJera4qN87kRqoEAVwSd+fGgIK8:PvRL/MhvF6NyFfrQJEQR
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibipufed = "C:\\Windows\\gnphequx.exe" explorer.exe -
Processes:
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exedescription pid process target process PID 1336 set thread context of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1664 set thread context of 2592 1664 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\gnphequx.exe explorer.exe File created C:\Windows\gnphequx.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2536 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exepid process 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exepid process 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4420 vssvc.exe Token: SeRestorePrivilege 4420 vssvc.exe Token: SeAuditPrivilege 4420 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exeexplorer.exedescription pid process target process PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1336 wrote to memory of 1664 1336 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe PID 1664 wrote to memory of 2592 1664 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe explorer.exe PID 1664 wrote to memory of 2592 1664 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe explorer.exe PID 1664 wrote to memory of 2592 1664 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe explorer.exe PID 1664 wrote to memory of 2592 1664 6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe explorer.exe PID 2592 wrote to memory of 2536 2592 explorer.exe vssadmin.exe PID 2592 wrote to memory of 2536 2592 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe"C:\Users\Admin\AppData\Local\Temp\6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe"C:\Users\Admin\AppData\Local\Temp\6910aeef12ecba786a855753da0b386ac64874c1086df7ec002ee82a14a93d60.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ehelinavuwuqosys\01000000Filesize
454KB
MD5a68baea5cf6842029b3eee218a431dd5
SHA11ef0e16a97c6247e11fc1d07e4b30897e462a35a
SHA256f5fff986e760ec257010e70a977539f3150530b1c76d9362ed12533ba2a593c8
SHA51224910c6e062161f7f9f41e54cdbd6892413fbe82a1c49eb89ae5d19f94c6ebd2245a80bec1636f2343386571975c0d640554c379ba96a30a3006d606680f41a9
-
memory/1664-132-0x0000000000000000-mapping.dmp
-
memory/1664-133-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1664-134-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1664-135-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1664-136-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1664-141-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2536-143-0x0000000000000000-mapping.dmp
-
memory/2592-137-0x0000000000000000-mapping.dmp
-
memory/2592-138-0x0000000000A00000-0x0000000000A3B000-memory.dmpFilesize
236KB
-
memory/2592-142-0x0000000000A00000-0x0000000000A3B000-memory.dmpFilesize
236KB