Overview

overview

9

Static

static

1

e7b79b2c2e...d4.exe

windows7-x64

9

e7b79b2c2e...d4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    189s
  • max time network
    212s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe

  • Size

    230KB

  • MD5

    0a8d712effd073e94ea693e87ab4c0e1

  • SHA1

    d196aa6bd299c35ab506b2fd54ea614c36d1a77e

  • SHA256

    e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4

  • SHA512

    f2d1585d53fce1783cecdc27633850fcfd06ca2daad6e30da45f28d02db78c6c09eb496263a35820bf8f26d2709d8761fbb8143c69d7ccaee8e2a35140b9e10b

  • SSDEEP

    6144:88dNXSEpr69Th3UuMLytcUK36KNgPgDdAm692CM8/N:npOh3UuCytcUsqg5p69e8/N

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
    "C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
      "C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Modifies Internet Explorer Phishing Filter
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\aduqeliginopicah\01000000
    Filesize

    230KB

    MD5

    5497d7eaa98409f549ec02b3675131b2

    SHA1

    e19591a172801dc5a0a1d5d3ee23491d4d187616

    SHA256

    b03d5159ab1789b6b199cd425f036fea2841501e0770a74baa0dd2576fc5504b

    SHA512

    a366559c64eda40d56c75431710dce10e1212451d5fe57c88eb3d43f8222a1c357954b35385962fc2e71a0011afc68ac32db6f52cf08cb4be70d875674241234

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    d9a3fc12d56726dde60c1ead1df366f7

    SHA1

    f531768159c14f07ac896437445652b33750a237

    SHA256

    401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

    SHA512

    6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    d9a3fc12d56726dde60c1ead1df366f7

    SHA1

    f531768159c14f07ac896437445652b33750a237

    SHA256

    401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

    SHA512

    6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj70.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    d9a3fc12d56726dde60c1ead1df366f7

    SHA1

    f531768159c14f07ac896437445652b33750a237

    SHA256

    401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

    SHA512

    6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj70.tmp\granadillas.dll
    Filesize

    50KB

    MD5

    4a19e3e14e896aa8e42aa25abb51b0f0

    SHA1

    b3af30c92ec18aba1547d60a07eda49786bfbc9f

    SHA256

    99837def935b6f3326d0887f99f2fcdc94c2516805710dfa00da32d96ce4ed3a

    SHA512

    e117e3c61cb402ff12bf28fc4489f545df669ae6d48d7d2cea6143ddc084c6a8a9db371fc2f6d7313e6303852b330dac1d41cb833858b4dfa414052ac5cb2bd4

    Download Submit
  • memory/688-69-0x000000000040A61E-mapping.dmp
    Download
  • memory/688-73-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-62-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-64-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-65-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-66-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-68-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-83-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-72-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-60-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/688-59-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1456-54-0x00000000766F1000-0x00000000766F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-76-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1880-78-0x000000000009A140-mapping.dmp
    Download
  • memory/1880-80-0x00000000754D1000-0x00000000754D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1880-81-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1880-74-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1880-85-0x0000000073071000-0x0000000073073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1880-86-0x0000000000080000-0x00000000000BC000-memory.dmp
    Filesize

    240KB

    Download