Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe
Resource
win10v2004-20220901-en
General
-
Target
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe
-
Size
740KB
-
MD5
af0581cc9f5d885911af35789f7d7fae
-
SHA1
f02bb8043c3a5fce7a15798af18b5fa8a2192ecd
-
SHA256
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc
-
SHA512
e058664567dc37379c3bcc165cc0c43303e139462ede0d54858ae24476ad0fda8454b635ba4053dcdabdf4f7c0f5fac416add6b8f10755e4834650236380698f
-
SSDEEP
12288:Vsp8fcP7cG9CZmSqKd89MP70IKV07HSo+qyQAO9IJLY3CZ/f:i8qbfwd8WP4bVgHSo+qLd92LFn
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igytecot = "\"C:\\Windows\\yqecupil.exe\"" explorer.exe -
Processes:
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exedescription pid process target process PID 4896 set thread context of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4028 set thread context of 2252 4028 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\yqecupil.exe explorer.exe File created C:\Windows\yqecupil.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 884 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 5084 vssvc.exe Token: SeRestorePrivilege 5084 vssvc.exe Token: SeAuditPrivilege 5084 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exeexplorer.exedescription pid process target process PID 4896 wrote to memory of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4896 wrote to memory of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4896 wrote to memory of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4896 wrote to memory of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4896 wrote to memory of 4028 4896 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe PID 4028 wrote to memory of 2252 4028 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe explorer.exe PID 4028 wrote to memory of 2252 4028 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe explorer.exe PID 4028 wrote to memory of 2252 4028 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe explorer.exe PID 4028 wrote to memory of 2252 4028 239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe explorer.exe PID 2252 wrote to memory of 884 2252 explorer.exe vssadmin.exe PID 2252 wrote to memory of 884 2252 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\idumewitynofyran\01000000Filesize
740KB
MD5261d781551cbc31b3161a145bd936d93
SHA1daf867d5061db9ddf058c354dc17154544b6040c
SHA256615e0d5c9b4ec289dfc2e6659e845c9a3ecca0013036d5f75ec05b81ba7d0fb3
SHA512fa82ca8bf54e4eac864a78340648bc4259c846c18b00952691c2b2a1a154bf6c08dcd5ae48b00a21daeadc7f1da8e1a9791dc8c71f4ef76399969fb95e77fd40
-
memory/884-143-0x0000000000000000-mapping.dmp
-
memory/2252-137-0x0000000000000000-mapping.dmp
-
memory/2252-138-0x00000000007A0000-0x00000000007DC000-memory.dmpFilesize
240KB
-
memory/2252-144-0x00000000007A0000-0x00000000007DC000-memory.dmpFilesize
240KB
-
memory/4028-132-0x0000000000000000-mapping.dmp
-
memory/4028-133-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-135-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-140-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-142-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4896-134-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB