Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
Resource
win10v2004-20220812-en
General
-
Target
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe
-
Size
230KB
-
MD5
0a8d712effd073e94ea693e87ab4c0e1
-
SHA1
d196aa6bd299c35ab506b2fd54ea614c36d1a77e
-
SHA256
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4
-
SHA512
f2d1585d53fce1783cecdc27633850fcfd06ca2daad6e30da45f28d02db78c6c09eb496263a35820bf8f26d2709d8761fbb8143c69d7ccaee8e2a35140b9e10b
-
SSDEEP
6144:88dNXSEpr69Th3UuMLytcUK36KNgPgDdAm692CM8/N:npOh3UuCytcUsqg5p69e8/N
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exepid process 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkowyzat = "\"C:\\Windows\\edyzylyw.exe\"" explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0C320E2E-C664-4373-8703-7A22D04CA926}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{158F50F0-9461-4D68-83DF-5819CE95CB38}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exee7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exedescription pid process target process PID 1544 set thread context of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 2408 set thread context of 3204 2408 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\edyzylyw.exe explorer.exe File created C:\Windows\edyzylyw.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3732 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4848 vssvc.exe Token: SeRestorePrivilege 4848 vssvc.exe Token: SeAuditPrivilege 4848 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exee7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exeexplorer.exedescription pid process target process PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 1544 wrote to memory of 2408 1544 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe PID 2408 wrote to memory of 3204 2408 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 2408 wrote to memory of 3204 2408 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 2408 wrote to memory of 3204 2408 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 2408 wrote to memory of 3204 2408 e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe explorer.exe PID 3204 wrote to memory of 3732 3204 explorer.exe vssadmin.exe PID 3204 wrote to memory of 3732 3204 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"C:\Users\Admin\AppData\Local\Temp\e7b79b2c2e1f7db30190f58f27f02afb6f042b13f0100db282b6249d2a08cbd4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
230KB
MD55497d7eaa98409f549ec02b3675131b2
SHA1e19591a172801dc5a0a1d5d3ee23491d4d187616
SHA256b03d5159ab1789b6b199cd425f036fea2841501e0770a74baa0dd2576fc5504b
SHA512a366559c64eda40d56c75431710dce10e1212451d5fe57c88eb3d43f8222a1c357954b35385962fc2e71a0011afc68ac32db6f52cf08cb4be70d875674241234
-
C:\Users\Admin\AppData\Local\Temp\nsgB5B.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
C:\Users\Admin\AppData\Local\Temp\nsgB5B.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
C:\Users\Admin\AppData\Local\Temp\nsgB5B.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
C:\Users\Admin\AppData\Local\Temp\nsgB5B.tmp\granadillas.dllFilesize
50KB
MD54a19e3e14e896aa8e42aa25abb51b0f0
SHA1b3af30c92ec18aba1547d60a07eda49786bfbc9f
SHA25699837def935b6f3326d0887f99f2fcdc94c2516805710dfa00da32d96ce4ed3a
SHA512e117e3c61cb402ff12bf28fc4489f545df669ae6d48d7d2cea6143ddc084c6a8a9db371fc2f6d7313e6303852b330dac1d41cb833858b4dfa414052ac5cb2bd4
-
memory/2408-139-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2408-137-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2408-143-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2408-136-0x0000000000000000-mapping.dmp
-
memory/2408-145-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3204-140-0x0000000000000000-mapping.dmp
-
memory/3204-141-0x0000000000AF0000-0x0000000000B2C000-memory.dmpFilesize
240KB
-
memory/3204-147-0x0000000000AF0000-0x0000000000B2C000-memory.dmpFilesize
240KB
-
memory/3732-146-0x0000000000000000-mapping.dmp