Analysis
-
max time kernel
160s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe
Resource
win10v2004-20221111-en
General
-
Target
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe
-
Size
249KB
-
MD5
2fc622ed6436577502a3257a4629ef9b
-
SHA1
fe4ef6a223c050cf826d360585388a7e365cf75d
-
SHA256
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4
-
SHA512
a4c5701dc916773a92eef8be13849f65a605f6798cc34aaf62420a51e66f2cfb6193de6528ad2b1f1c48f5232c6bc837dbc53cf5e86c3e103848ea6a55d13a3b
-
SSDEEP
6144:88dNXSEpYKuWrbizInoZSg0HT5oDByPOne4Z54tssUyBRpt8NJB4pK6:npbuIqZSg0tmByPw5KENJB4pp
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exepid process 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crukehos = "\"C:\\Windows\\uxycdgur.exe\"" explorer.exe -
Processes:
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exedescription pid process target process PID 2000 set thread context of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 1700 set thread context of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\uxycdgur.exe explorer.exe File created C:\Windows\uxycdgur.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1192 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1348 vssvc.exe Token: SeRestorePrivilege 1348 vssvc.exe Token: SeAuditPrivilege 1348 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exeexplorer.exedescription pid process target process PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 2000 wrote to memory of 1700 2000 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe PID 1700 wrote to memory of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe PID 1700 wrote to memory of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe PID 1700 wrote to memory of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe PID 1700 wrote to memory of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe PID 1700 wrote to memory of 276 1700 905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe explorer.exe PID 276 wrote to memory of 1192 276 explorer.exe vssadmin.exe PID 276 wrote to memory of 1192 276 explorer.exe vssadmin.exe PID 276 wrote to memory of 1192 276 explorer.exe vssadmin.exe PID 276 wrote to memory of 1192 276 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe"C:\Users\Admin\AppData\Local\Temp\905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe"C:\Users\Admin\AppData\Local\Temp\905de398fceeb170bcd45f8ee169b90384441bb04dae8dee3ee7878c0ed2d0a4.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\idumewitynofyran\01000000Filesize
249KB
MD5f069897997fc2aa0a12daf0d810e179e
SHA1826142d53e9e0b1bfbffbb256b12ac7281028368
SHA2560daca4f146752af2b449065edea652e36b6a89d1a27da5e4a45d2cfe49b49612
SHA5120cd2402ba6d74f81d252d66d9ca4d9abbb7dcee3ccd574c3d5043dc781700d1d3632db3c7a725600fdfd397e2c1b186eecea847f41810ec23e75fb99fb0bf934
-
\Users\Admin\AppData\Local\Temp\nst4A3C.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst4A3C.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst4A3C.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst4A3C.tmp\thalidomide.dllFilesize
86KB
MD5aa144b724f32bcda0499ab58bb841d5a
SHA151387b4b0e9f50d203c0c083151047982f6b6ca2
SHA25664bb66d035a60097f7c75c24b9c04a47a32675b83c53e77270286009e4fd6807
SHA5122e730c88cc07658554e81e2a95b2d0a9e6ee8a37a0cb2e08b1f6d614b2431d7baa067b47db7741e7ed472b58c27a232c5a0bf0c0fea98c12b668627053186771
-
memory/276-74-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/276-85-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/276-84-0x0000000073071000-0x0000000073073000-memory.dmpFilesize
8KB
-
memory/276-80-0x00000000754C1000-0x00000000754C3000-memory.dmpFilesize
8KB
-
memory/276-78-0x00000000000DA140-mapping.dmp
-
memory/276-76-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/1192-83-0x0000000000000000-mapping.dmp
-
memory/1700-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-69-0x000000000040A61E-mapping.dmp
-
memory/1700-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1700-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2000-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB