Analysis
-
max time kernel
189s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
Resource
win10v2004-20220812-en
General
-
Target
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
-
Size
230KB
-
MD5
0a8d712effd073e94ea693e87ab4c0e1
-
SHA1
d196aa6bd299c35ab506b2fd54ea614c36d1a77e
-
SHA256
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4
-
SHA512
f2d1585d53fce1783cecdc27633850fcfd06ca2daad6e30da45f28d02db78c6c09eb496263a35820bf8f26d2709d8761fbb8143c69d7ccaee8e2a35140b9e10b
-
SSDEEP
6144:88dNXSEpr69Th3UuMLytcUK36KNgPgDdAm692CM8/N:npOh3UuCytcUsqg5p69e8/N
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exepid process 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ymyqmsut = "\"C:\\Windows\\iqqkflet.exe\"" explorer.exe -
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exee7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exedescription pid process target process PID 1456 set thread context of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 688 set thread context of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\iqqkflet.exe explorer.exe File created C:\Windows\iqqkflet.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1500 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exee7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exeexplorer.exedescription pid process target process PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1456 wrote to memory of 688 1456 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 688 wrote to memory of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 688 wrote to memory of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 688 wrote to memory of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 688 wrote to memory of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 688 wrote to memory of 1880 688 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 1880 wrote to memory of 1500 1880 explorer.exe vssadmin.exe PID 1880 wrote to memory of 1500 1880 explorer.exe vssadmin.exe PID 1880 wrote to memory of 1500 1880 explorer.exe vssadmin.exe PID 1880 wrote to memory of 1500 1880 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
230KB
MD55497d7eaa98409f549ec02b3675131b2
SHA1e19591a172801dc5a0a1d5d3ee23491d4d187616
SHA256b03d5159ab1789b6b199cd425f036fea2841501e0770a74baa0dd2576fc5504b
SHA512a366559c64eda40d56c75431710dce10e1212451d5fe57c88eb3d43f8222a1c357954b35385962fc2e71a0011afc68ac32db6f52cf08cb4be70d875674241234
-
\Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsj70.tmp\granadillas.dllFilesize
50KB
MD54a19e3e14e896aa8e42aa25abb51b0f0
SHA1b3af30c92ec18aba1547d60a07eda49786bfbc9f
SHA25699837def935b6f3326d0887f99f2fcdc94c2516805710dfa00da32d96ce4ed3a
SHA512e117e3c61cb402ff12bf28fc4489f545df669ae6d48d7d2cea6143ddc084c6a8a9db371fc2f6d7313e6303852b330dac1d41cb833858b4dfa414052ac5cb2bd4
-
memory/688-69-0x000000000040A61E-mapping.dmp
-
memory/688-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-83-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/688-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1456-54-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1500-84-0x0000000000000000-mapping.dmp
-
memory/1880-76-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1880-78-0x000000000009A140-mapping.dmp
-
memory/1880-80-0x00000000754D1000-0x00000000754D3000-memory.dmpFilesize
8KB
-
memory/1880-81-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1880-74-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1880-85-0x0000000073071000-0x0000000073073000-memory.dmpFilesize
8KB
-
memory/1880-86-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB