Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe
Resource
win10v2004-20220901-en
General
-
Target
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe
-
Size
229KB
-
MD5
aabe2844ee61e1f2969d7a96e1355a99
-
SHA1
7c605f6a3e8fa991ffc12d32f08b525439e0d070
-
SHA256
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5
-
SHA512
0b2e814e0d718d520bcec376e99693eabc8edbe2c140ff8c3d2c670a9b298f2da38b95a0c4b19b6606e9f1601f2704ae1a2d730983b9341fb9f1b6620a58d077
-
SSDEEP
6144:c8dNXSEq5GVIr+LXn58Gwfub4XMBFP2eVjhW/jiG:HqsXqRub4gFOMO+G
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exepid process 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqyqocul = "\"C:\\Windows\\azffisom.exe\"" explorer.exe -
Processes:
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exedescription pid process target process PID 1452 set thread context of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1400 set thread context of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\azffisom.exe explorer.exe File created C:\Windows\azffisom.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1700 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 280 vssvc.exe Token: SeRestorePrivilege 280 vssvc.exe Token: SeAuditPrivilege 280 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exeexplorer.exedescription pid process target process PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1452 wrote to memory of 1400 1452 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe PID 1400 wrote to memory of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe PID 1400 wrote to memory of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe PID 1400 wrote to memory of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe PID 1400 wrote to memory of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe PID 1400 wrote to memory of 272 1400 970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe explorer.exe PID 272 wrote to memory of 1700 272 explorer.exe vssadmin.exe PID 272 wrote to memory of 1700 272 explorer.exe vssadmin.exe PID 272 wrote to memory of 1700 272 explorer.exe vssadmin.exe PID 272 wrote to memory of 1700 272 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe"C:\Users\Admin\AppData\Local\Temp\970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe"C:\Users\Admin\AppData\Local\Temp\970d50813e2d3da1298b718a79bb18989b971a7160881b8a4959cc4ca33aefd5.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
229KB
MD577af2a7312c914f7cee948b5e9a48927
SHA1dba7bce452f1fc05f24d426f3c223912601ffb55
SHA25629984037a70ffd1b167f47a6112a1d7f75ef55c2b48c1748ef0dfe4ce180044f
SHA5125be18ae201218e08854b0b1fe4245177931ddf6554d1bfd35935fb18885e43af8f79c32d3f62b2f34d774ea326c7b903c80d0397179833e485f06f00ae0b4ede
-
\Users\Admin\AppData\Local\Temp\nst2B66.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst2B66.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst2B66.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nst2B66.tmp\bouffant.dllFilesize
28KB
MD5440600834eea93bf6d438a3566a67d4f
SHA1abd7abdfd04b02a68be26cfc838957a0c1e07e7c
SHA256ef1fc9150b76172899a5ffda1a09f4cbfaeba654806bd68870865e6c5c2a276f
SHA512ed8b4ad6a28c96892a5cf39c2703d17a525986038f831efec263530d8dfe1b551bcb156a2fb8be5944b558af49df8292497772cf8ebaf060e25da1d1de5068f3
-
memory/272-75-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/272-87-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/272-86-0x0000000072B11000-0x0000000072B13000-memory.dmpFilesize
8KB
-
memory/272-84-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/272-81-0x0000000075061000-0x0000000075063000-memory.dmpFilesize
8KB
-
memory/272-77-0x00000000000C0000-0x00000000000FC000-memory.dmpFilesize
240KB
-
memory/272-79-0x00000000000DA140-mapping.dmp
-
memory/1400-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-69-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-67-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-70-0x000000000040A61E-mapping.dmp
-
memory/1400-83-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1400-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1452-54-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1452-59-0x00000000003F0000-0x00000000003FD000-memory.dmpFilesize
52KB
-
memory/1700-85-0x0000000000000000-mapping.dmp