Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe
Resource
win10v2004-20221111-en
General
-
Target
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe
-
Size
233KB
-
MD5
c2efdab47b2d73830a22c9ac0b657312
-
SHA1
f2a4a936724801711b53ff762a56e224ea27fd30
-
SHA256
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510
-
SHA512
3ada1a8e690e434a16946ce9db8fc5208f9953aeeb07096e3f63b3279ae2b86d4efbfda10f5534d734379cb2676e0a9c780381f1ae5ff53c61626c5787352831
-
SSDEEP
6144:88dNXSEpKv7eR9aG9S/W8h2srCg8EMeFSjsJuEi+w8WlCc2Oz2Yxl:npKvK7r9S/PfCaMdlJ8WQO1l
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exepid process 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uclfrgif = "\"C:\\Windows\\ksykeruw.exe\"" explorer.exe -
Processes:
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exedescription pid process target process PID 1672 set thread context of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 2036 set thread context of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ksykeruw.exe explorer.exe File created C:\Windows\ksykeruw.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1636 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1848 vssvc.exe Token: SeRestorePrivilege 1848 vssvc.exe Token: SeAuditPrivilege 1848 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exeexplorer.exedescription pid process target process PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 1672 wrote to memory of 2036 1672 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe PID 2036 wrote to memory of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe PID 2036 wrote to memory of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe PID 2036 wrote to memory of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe PID 2036 wrote to memory of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe PID 2036 wrote to memory of 1656 2036 3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe explorer.exe PID 1656 wrote to memory of 1636 1656 explorer.exe vssadmin.exe PID 1656 wrote to memory of 1636 1656 explorer.exe vssadmin.exe PID 1656 wrote to memory of 1636 1656 explorer.exe vssadmin.exe PID 1656 wrote to memory of 1636 1656 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe"C:\Users\Admin\AppData\Local\Temp\3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe"C:\Users\Admin\AppData\Local\Temp\3b84ede7ebb5ee92eb35516bd5f5d879a87ff683d1cd5e9f4b5f544ceb69a510.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
233KB
MD5e5ce6ce8b3e68c3f128e6f754499a995
SHA1455328e202a344c26b6092ee32f9d133e93232ed
SHA25631f3f575f2000ea41d9269e11ec3095691104d798f3ac88ce984e3d5c56c0498
SHA512e94cc70f46cf22e40bd83be0ce3cb4354702359cf596f19dbe5e74be6166e482e951dc51ae090c06c9c28cf7f5beac9053b548954e5e11647df1803f41edcd61
-
\Users\Admin\AppData\Local\Temp\nsd48E4.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsd48E4.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsd48E4.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsd48E4.tmp\feasts.dllFilesize
48KB
MD5f8b664669551e3ddbe6232bafaaa62ed
SHA1e1ce3ec5d31773931c2d844a1445fae482399f04
SHA2566ba48336c7498374aed12fab70d8bbc7b6def4570b12a3a03853e321ea547464
SHA512065360c868500fa5ca62745437b6b3aa5976ff0cff408315034c017adfbe6eba786fb5054334cc8bc2a19a372081cfd559ec7b51f055bd664802214989c9da61
-
memory/1636-83-0x0000000000000000-mapping.dmp
-
memory/1656-85-0x0000000072841000-0x0000000072843000-memory.dmpFilesize
8KB
-
memory/1656-84-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1656-74-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1656-80-0x0000000074CE1000-0x0000000074CE3000-memory.dmpFilesize
8KB
-
memory/1656-78-0x000000000009A140-mapping.dmp
-
memory/1656-76-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/2036-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-69-0x000000000040A61E-mapping.dmp
-
memory/2036-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2036-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB