Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
28-11-2022 03:15
General
-
Target
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe
-
Size
740KB
-
MD5
af0581cc9f5d885911af35789f7d7fae
-
SHA1
f02bb8043c3a5fce7a15798af18b5fa8a2192ecd
-
SHA256
239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc
-
SHA512
e058664567dc37379c3bcc165cc0c43303e139462ede0d54858ae24476ad0fda8454b635ba4053dcdabdf4f7c0f5fac416add6b8f10755e4834650236380698f
-
SSDEEP
12288:Vsp8fcP7cG9CZmSqKd89MP70IKV07HSo+qyQAO9IJLY3CZ/f:i8qbfwd8WP4bVgHSo+qLd92LFn
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"C:\Users\Admin\AppData\Local\Temp\239f1c7708f8d05c6860008b982bb446c5d54dc917c9dea2b6ae78589e072afc.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\idumewitynofyran\01000000Filesize
740KB
MD5261d781551cbc31b3161a145bd936d93
SHA1daf867d5061db9ddf058c354dc17154544b6040c
SHA256615e0d5c9b4ec289dfc2e6659e845c9a3ecca0013036d5f75ec05b81ba7d0fb3
SHA512fa82ca8bf54e4eac864a78340648bc4259c846c18b00952691c2b2a1a154bf6c08dcd5ae48b00a21daeadc7f1da8e1a9791dc8c71f4ef76399969fb95e77fd40
-
memory/884-143-0x0000000000000000-mapping.dmp
-
memory/2252-137-0x0000000000000000-mapping.dmp
-
memory/2252-138-0x00000000007A0000-0x00000000007DC000-memory.dmpFilesize
240KB
-
memory/2252-144-0x00000000007A0000-0x00000000007DC000-memory.dmpFilesize
240KB
-
memory/4028-132-0x0000000000000000-mapping.dmp
-
memory/4028-133-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-135-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-140-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4028-142-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4896-134-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB