Analysis
-
max time kernel
151s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe
Resource
win10v2004-20221111-en
General
-
Target
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe
-
Size
281KB
-
MD5
b2627a0ad82f29313a00802c232ccb41
-
SHA1
7548acd6092f3ec1381fc703747abd8f076fecb5
-
SHA256
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b
-
SHA512
9567189314d56bde274f3c1d8f99355c8a8679f38acbc95caa1f224297b37647b92766d5e8d99ce894e6a52f8695995bd39249a0a65ed625d6c0d386d9532302
-
SSDEEP
6144:c8dNXSEqDwPJ2fBGE4IEEvx8mKKCDf7/MIldjexUU8ry5dfU4mj:HqDwosE4bQxCKMfwIyxUU8m5dM1
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exepid process 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ifixabid = "\"C:\\Windows\\yjbkexuj.exe\"" explorer.exe -
Processes:
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exedescription pid process target process PID 1640 set thread context of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1840 set thread context of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\yjbkexuj.exe explorer.exe File created C:\Windows\yjbkexuj.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 468 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 980 vssvc.exe Token: SeRestorePrivilege 980 vssvc.exe Token: SeAuditPrivilege 980 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exeexplorer.exedescription pid process target process PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1640 wrote to memory of 1840 1640 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe PID 1840 wrote to memory of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe PID 1840 wrote to memory of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe PID 1840 wrote to memory of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe PID 1840 wrote to memory of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe PID 1840 wrote to memory of 1340 1840 7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe explorer.exe PID 1340 wrote to memory of 468 1340 explorer.exe vssadmin.exe PID 1340 wrote to memory of 468 1340 explorer.exe vssadmin.exe PID 1340 wrote to memory of 468 1340 explorer.exe vssadmin.exe PID 1340 wrote to memory of 468 1340 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe"C:\Users\Admin\AppData\Local\Temp\7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe"C:\Users\Admin\AppData\Local\Temp\7729790829576dc0bc7128f851ca966891e6d9873fd6ba56056bdbd9b125540b.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
281KB
MD5a8b8841ab888a75b8839034587c93b21
SHA14cc8e90988edf1cef0c312f4dbf5956c689cb7b6
SHA2562e4a887fcaadde0d7fd133f2fccfcb49ff99f96fd1e9e5d93618d81cd43c92a0
SHA512bf8fdfaa0301789d2a36ea47dbe16317256c01bc28b021c7e2cab70280d7e42792e66a0b654040a6c0d530e855b10a88689fe0c5f2838bc1a8c1889d8f8d0bd3
-
\Users\Admin\AppData\Local\Temp\nsy2C21.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsy2C21.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsy2C21.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsy2C21.tmp\assimilation.dllFilesize
162KB
MD58d82912f027a91e9d6ab4629a3fb6205
SHA12d716098309b4ece33a917e2f1ad5170d3274f74
SHA256620bfc2e81fa5bf27702ec8c3268f85e65012e46bdeb0abd1583e57dc997c754
SHA51211b3f071d70431b1e911c90087a2f88062eac47f4c9250ae6b66c3484a8798fa8a133cfaa21ccfb212619946d8676d3634429be07c6769cfb167f00f1332ec19
-
memory/468-84-0x0000000000000000-mapping.dmp
-
memory/1340-83-0x00000000000D0000-0x000000000010C000-memory.dmpFilesize
240KB
-
memory/1340-85-0x0000000072211000-0x0000000072213000-memory.dmpFilesize
8KB
-
memory/1340-74-0x00000000000D0000-0x000000000010C000-memory.dmpFilesize
240KB
-
memory/1340-86-0x00000000000D0000-0x000000000010C000-memory.dmpFilesize
240KB
-
memory/1340-80-0x0000000074761000-0x0000000074763000-memory.dmpFilesize
8KB
-
memory/1340-78-0x00000000000EA140-mapping.dmp
-
memory/1340-76-0x00000000000D0000-0x000000000010C000-memory.dmpFilesize
240KB
-
memory/1640-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1840-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-69-0x000000000040A61E-mapping.dmp
-
memory/1840-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1840-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB